Improper Access Control in collectiveaccess/pawtucket2
Reported on
Oct 1st 2021
Description
After the previous patch fix, users can join the Root group by specifying http://[PAWTUCKET-URL]/pawtucket/index.php/LoginReg/joinGroup/group_code/*
Proof of Concept
http://[PAWTUCKET-URL]/pawtucket/index.php/LoginReg/joinGroup/group_code/*
Impact
Attackers can join the Root group without being invited. Weirdly, I cannot join any other groups using the standard group_code URL after the new fix (I think it may be broken!), but I can access Root group perhaps because MySQL inteprets * as 'all elements' and the first element in the ca_user_groups table is Root.
Yeah something is off. "Root" is not what it sound like, by the way. It's a hierarchical root record. I didn't see this before. The function does filter wildcards and restrict to public (non-privileged groups). Thanks for picking this up.
There's definitely a problem, which I've just hopefully patched for the last time. Serves me right for rushing. Let me know if you see any other issues. Thanks.
When I was testing the application, group code via http://[PAWTUCKET-URL]/pawtucket/index.php/LoginReg/joinGroup/group_code/lb_X_XXXXXXX was not working, has it been fixed in the newest fix?
That's not a valid group code. 5B8F9E (for today) in the demo is a valid public group code.
... and I've confirmed that valid ones work, invalid ones don't and metacharacters are rejected.
I never knew there was a pawtucket demo 😨, this whole time I was testing on my local system.
One thing - only groups marked for "public" use are supposed to be accessible in Pawtucket. So perhaps your lb_X_XXXXXXX was not public?
But I will still continue to use my local system for better debugging purposes.
Thanks again for doing this work. This is very old code (some of it goes back to 2000), and a lot of people worked (or didn't...) on it over the years. It's a huge help to have you looking at it for these issues.
I created the group as a logged-in user in Pawtucket2, when I clicked show URL, it said http://10.0.2.15/pawtucket/index.php/LoginReg/joinGroup/group_code/lb_2_1633089827
another thing I'd like to point out - when I was searching the ca_user_groups MySQL table I found that admin, Root and cataloguer were codes. I tried them out on my local system and they did not work like lb_X_XXXXXXX, do they work in the new fix?
Those are not supposed to work. Only public groups should work. I have to run now. Will check later.
They weren't being marked as public so they couldn't be joined once created. In case you're wondering how no one has noticed that they've been broken for literally years... well no one uses these particular features. They were done for a grant-funded project, then forgotten. It's nice to make them actually work again.