Improper Access Control in collectiveaccess/pawtucket2

Valid

Reported on

Oct 1st 2021


Description

After the previous patch fix, users can join the Root group by specifying http://[PAWTUCKET-URL]/pawtucket/index.php/LoginReg/joinGroup/group_code/*

Proof of Concept

http://[PAWTUCKET-URL]/pawtucket/index.php/LoginReg/joinGroup/group_code/*

Impact

Attackers can join the Root group without being invited. Weirdly, I cannot join any other groups using the standard group_code URL after the new fix (I think it may be broken!), but I can access Root group perhaps because MySQL inteprets * as 'all elements' and the first element in the ca_user_groups table is Root.

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 months ago
CollectiveAccess
2 months ago

Maintainer


Yeah something is off. "Root" is not what it sound like, by the way. It's a hierarchical root record. I didn't see this before. The function does filter wildcards and restrict to public (non-privileged groups). Thanks for picking this up.

CollectiveAccess validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess
2 months ago

Maintainer


There's definitely a problem, which I've just hopefully patched for the last time. Serves me right for rushing. Let me know if you see any other issues. Thanks.

haxatron
2 months ago

Researcher


When I was testing the application, group code via http://[PAWTUCKET-URL]/pawtucket/index.php/LoginReg/joinGroup/group_code/lb_X_XXXXXXX was not working, has it been fixed in the newest fix?

CollectiveAccess
2 months ago

Maintainer


That's not a valid group code. 5B8F9E (for today) in the demo is a valid public group code.

CollectiveAccess
2 months ago

Maintainer


... and I've confirmed that valid ones work, invalid ones don't and metacharacters are rejected.

haxatron
2 months ago

Researcher


I never knew there was a pawtucket demo 😨, this whole time I was testing on my local system.

CollectiveAccess
2 months ago

Maintainer


Sorry :-/

haxatron
2 months ago

Researcher


Its okay haha, thanks for fixing the vulnerabilities!

CollectiveAccess
2 months ago

Maintainer


One thing - only groups marked for "public" use are supposed to be accessible in Pawtucket. So perhaps your lb_X_XXXXXXX was not public?

haxatron
2 months ago

Researcher


But I will still continue to use my local system for better debugging purposes.

CollectiveAccess
2 months ago

Maintainer


Thanks again for doing this work. This is very old code (some of it goes back to 2000), and a lot of people worked (or didn't...) on it over the years. It's a huge help to have you looking at it for these issues.

haxatron
2 months ago

Researcher


I created the group as a logged-in user in Pawtucket2, when I clicked show URL, it said http://10.0.2.15/pawtucket/index.php/LoginReg/joinGroup/group_code/lb_2_1633089827

CollectiveAccess
2 months ago

Maintainer


ok let me try that

haxatron
2 months ago

Researcher


no problems! I'm paid by huntr to do this 😁

haxatron
2 months ago

Researcher


another thing I'd like to point out - when I was searching the ca_user_groups MySQL table I found that admin, Root and cataloguer were codes. I tried them out on my local system and they did not work like lb_X_XXXXXXX, do they work in the new fix?

haxatron
2 months ago

Researcher


MySQL table on my local system*

CollectiveAccess
2 months ago

Maintainer


Those are not supposed to work. Only public groups should work. I have to run now. Will check later.

CollectiveAccess
2 months ago

Maintainer


They weren't being marked as public so they couldn't be joined once created. In case you're wondering how no one has noticed that they've been broken for literally years... well no one uses these particular features. They were done for a grant-funded project, then forgotten. It's nice to make them actually work again.

CollectiveAccess confirmed that a fix has been merged on 82a401 2 months ago
CollectiveAccess has been awarded the fix bounty