- Broken Access Controls in Password Reset
- Affected Product: DeltaRM 1.2
- Vendor: DeltaRM
- Severity: High
- Vulnerability Class: Broken Access Controls
- Status: Fixed
- Author(s): Renato Cruz =======================================================================
It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses).
As an authenticated user, send the following request
POST /listes/DTsendmaildata/adm_utilisateur/send-mail.json HTTP/1.1 Host: deltarm.com Cookie: PHPSESSID=*session id* Content-Type: application/json [*array of user ids*]
The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.
- With the exception of public resources, deny by default.
- Log access control failures, alert admins when appropriate (e.g. repeated failures).
- Rate limit API and controller access to minimize the harm from automated attack tooling.
- JWT tokens should be invalidated on the server after logout.
- Developers and QA staff should include functional access control unit and integration tests.
- 26-10-2021: Vulnerability disclosed to DeltaRM
- 28-10-2021: Acknowlegement from vendor
- 11-12-2021: Fix released by the vendor
- 10-01-2022: Retest performed, vulnerability fixed