Headline
CVE-2022-4823: Detect GeoPoll AT's to: number (#88) · instedd/nuntium@77236f7
A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium. Affected is an unknown function of the file app/controllers/geopoll_controller.rb. The manipulation of the argument signature leads to observable timing discrepancy. It is possible to launch the attack remotely. The name of the patch is 77236f7fd71a0e2eefeea07f9866b069d612cf0d. It is recommended to apply a patch to fix this issue. VDB-217002 is the identifier assigned to this vulnerability.
@@ -20,25 +20,32 @@ class GeopollController < ApplicationController skip_filter :check_login
# POST /:account_name/:channel_name/:secret_token/geopoll/incoming # POST /:account_name/:channel_name/geopoll/incoming def incoming account = Account.find_by_id_or_name(params[:account_name]) channel = account.geopoll_channels.find_by_name(params[:channel_name]) auth_token = channel.configuration[:auth_token].to_s.split(' ')[1] identifier = params[:Identifier] signature = Digest::MD5.hexdigest(auth_token + identifier)
if signature != params[:Signature] if !(ActiveSupport::SecurityUtils.secure_compare params[:Signature], signature) return render text: "Error", status: :unauthorized end
unknown_params = params.except( 'Identifier’, 'Signature’, 'SourceAddress’, 'TargetAddress’, 'MessageText’, # GeoPoll API specification 'account_name’, 'channel_name’, 'controller’, ‘action’ # Rails-generated parameters )
msg = AtMessage.new msg.from = “sms://#{params[:SourceAddress]}” msg.to = “sms://#{channel.configuration[:from]}” msg.to = “sms://#{params[:TargetAddress]}” msg.body = params[:MessageText] msg.channel_relative_id = params[:Identifier] account.route_at msg, channel
channel.logger.warning :channel_id => channel.id, :at_message_id => msg.id, :message => “Received unknown parameters for AT #{msg.id}: #{unknown_params.to_json}” unless unknown_params.empty?
render text: “Accepted” end
@@ -51,6 +58,11 @@ def status return render text: "Error", status: :not_found end
unknown_params = params.except( 'MessageId’, 'Status’, # GeoPoll API specification 'account_name’, 'channel_name’, 'controller’, ‘action’ # Rails-generated parameters )
status = params[:Status] case status when “SUCCESS” @@ -63,8 +75,10 @@ def status account.logger.info :channel_id => channel.id, :ao_message_id => ao.id, :message => “Recieved delivery notification with status #{status.inspect}”
ao.custom_attributes[:geopoll_status] = status if status ao.save! channel.logger.warning :channel_id => channel.id, :at_message_id => msg.id, :message => “Received unknown parameters for AO #{msg.id} Status: #{unknown_params.to_json}” unless unknown_params.empty?
ao.custom_attributes[:geopoll_status] = status if status ao.save!
render text: “Accepted” end