The UI Performs the Wrong Action in zikula/core

Valid

Reported on

Sep 17th 2021


Description

Sensitive Data can be exposed even after logouting the application

Proof of Concept

Tested url :: https://demo.ziku.la/
Tested on :: Firefox

1) Login to the application
2) Got my account
3) Click logout button
4) Press browser back button
5) Now the we can re-enter to the dashboard

Impact

Any other user can view the data if browser tab remains unclosed. application must striclty redirect to login page even browser back button is pressed

We have contacted a member of the zikula/core team and are waiting to hear back a month ago
We have contacted a member of the zikula/core team and are waiting to hear back a month ago
Axel
a month ago

Hello and thank you for reporting, I doubt that this can be prevented from server-side because Firefox is just showing the old page from its client cache. When you reload or click on another link/button it does not happen, since the session is gone. The actual fix would be disabling any kind of cache inside the browser (unless using a proxy). Hence, I am marking this as invalid. Sorry.

Axel Guckelsberger has invalidated this vulnerability a month ago

Hello and thank you for reporting, I doubt that this can be prevented from server-side because Firefox is just showing the old page from its client cache. When you reload or click on another link/button it does not happen, since the session is gone. The actual fix would be disabling any kind of cache inside the browser (unless using a proxy). Hence, I am marking this as invalid. Sorry.

The disclosure bounty has been dropped
The fix bounty has been dropped
0xdhinu
a month ago

Researcher


About the vulnerability: The back, forward and refresh buttons of the browser can be used to steal the password of a previous user. In this article we examine the vulnerability and look at ways to solve them.A web browser has the functionality to store the recent pages browsed by the user in its history. The back and forward buttons on the browser make use of this history to display the pages that the user visited recently. The browser also keeps track of the variables that were sent as part of the request to the server for each page. The refresh feature of the browser automates posting of the variables to the server thereby greatly improving the user experience while browsing.These features enhance the user experience but at the same time they expose a high risk vulnerability. This happens due to the application being insecurely designed. Attackers exploit these functionalities of the browser to obtain access to user credentials. Let’s see how this works and the solutions to overcome this problem.

Solution :use an intermediate page between the login page and the first page displayed after authentication (myhome.asp in this case). This intermediate page should be used to redirect the user via an “HTTP Redirect command” to myhome.asp after successful login. In such a scenario, the login request is redirected immediately by the intermediate page. 2, use a salted hash technique for authentication. In this method, the password is hashed before sending it to the server. This hash is made random using a salt (a random value) provided by the server. This salt is added to the hash generated from the password and then hashed again. This salted hash is sent to the server for authentication. This way, even if the attacker uses the refresh button to capture the request, only the salted hash value will be visible. It will not allow the attacker to login by refreshing as the salt would change at the next login.

Axel
23 days ago

Sorry, this was indeed a valid one. We fixed it in https://huntr.dev/bounties/c4371a9a-e355-4869-928c-8c275cf7beb4/ but the bounty should be yours.

0xdhinu
23 days ago

Researcher


@admin , The report is valid

Jamie Slome validated this vulnerability 22 days ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
22 days ago

Admin


Sorted! Feel free to confirm the fix when you have the time.

Axel Guckelsberger confirmed that a fix has been merged on f085bb 22 days ago
Axel Guckelsberger has been awarded the fix bounty