lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 30 Aug 2019 19:47:33 +0200
From: paw <riccardo.krauter@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Totaljs CMS Broken Access Control on the API call

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Broken Access Control on the API call

[+] Affected software: Totaljs CMS 12.0

[+] Description: An authenticated user with limited privileges can get 
access to resource that did not own by calling the associated API.
The CMS manage correctly the privilege only for the front-end resource 
path, but it does not the same for the API request. This lead to 
vertical and horizontal privilege escalation.

[+] Step to reproduce:

1) create a user with any privileges (e.g. “Notices”).
2) log in with this user and browse to http://localhost:8000/admin/notices/
3) copy the __admin cookie that by default identify the session user
4) create a POST request in burp to the following path 
/admin/api/pages/preview/ with body {"body":"","template":"default"}
5) you will get a 200 response back that means we can successfully used 
an API call that we don’t have the privilege to use.

[+] Project link: https://github.com/totaljs/cms

[+] Original report and details: 
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists