Full Disclosure mailing list archives
Totaljs CMS Broken Access Control on the API call
From: paw <riccardo.krauter () gmail com>
Date: Fri, 30 Aug 2019 19:47:33 +0200
[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup [+] Title: Totaljs CMS Broken Access Control on the API call [+] Affected software: Totaljs CMS 12.0[+] Description: An authenticated user with limited privileges can get access to resource that did not own by calling the associated API. The CMS manage correctly the privilege only for the front-end resource path, but it does not the same for the API request. This lead to vertical and horizontal privilege escalation.
[+] Step to reproduce: 1) create a user with any privileges (e.g. “Notices”). 2) log in with this user and browse to http://localhost:8000/admin/notices/ 3) copy the __admin cookie that by default identify the session user4) create a POST request in burp to the following path /admin/api/pages/preview/ with body {"body":"","template":"default"} 5) you will get a 200 response back that means we can successfully used an API call that we don’t have the privilege to use.
[+] Project link: https://github.com/totaljs/cms[+] Original report and details: https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
[+] Timeline: - 13/02/2019 -> reported the issue to the vendor .... many ping here - 18/06/2019 -> pinged the vendor last time - 30/08/2019 -> reported to seclist _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Totaljs CMS Broken Access Control on the API call paw (Sep 03)