Skip to content

Instantly share code, notes, and snippets.

@rntcruz23
Created January 17, 2022 10:46
Show Gist options
  • Save rntcruz23/16ac2d9dfc7e32b0f57dc7b20f17cd29 to your computer and use it in GitHub Desktop.
Save rntcruz23/16ac2d9dfc7e32b0f57dc7b20f17cd29 to your computer and use it in GitHub Desktop.
CVE-2021-44839

CVE-2021-44839

=======================================================================

  • Broken Access Controls in Password Reset
  • Affected Product: DeltaRM 1.2
  • Vendor: DeltaRM
  • Severity: High
  • Vulnerability Class: Broken Access Controls
  • Status: Fixed
  • Author(s): Renato Cruz =======================================================================

Summary

It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses).

Reproduction Steps

As an authenticated user, send the following request

POST /listes/DTsendmaildata/adm_utilisateur/send-mail.json HTTP/1.1
Host: deltarm.com
Cookie: PHPSESSID=*session id*
Content-Type: application/json

[*array of user ids*]

Remediation

The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.

  • With the exception of public resources, deny by default.
  • Log access control failures, alert admins when appropriate (e.g. repeated failures).
  • Rate limit API and controller access to minimize the harm from automated attack tooling.
  • JWT tokens should be invalidated on the server after logout.
  • Developers and QA staff should include functional access control unit and integration tests.

Disclosure Timeline

  • 26-10-2021: Vulnerability disclosed to DeltaRM
  • 28-10-2021: Acknowlegement from vendor
  • 11-12-2021: Fix released by the vendor
  • 10-01-2022: Retest performed, vulnerability fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment