Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36076: Bug Bounty Adventures: A NodeBB 0-day

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out. This re-exposed a vulnerability in that a specially crafted Man-in-the-Middle (MITM) attack could theoretically take over another user account during the single sign-on process. The issue has been fully patched in version 1.17.2.

CVE
#sql#csrf#vulnerability#web#google#redis#nodejs#js#auth#zero_day#mongo#postgres

Opera maintains both a public bug bounty program, and a private program, where security researchers can submit security issues they have found in Opera’s products for cash rewards. We like to highlight some of the issues that have been submitted, to educate the community about the types of issues they should be on the look-out for. In this post, we outline a vulnerability that was submitted to us concerning a third-party-developed software – NodeBB – which turned out to be a 0-day vulnerability.

In May 2021, we received a bug bounty submission from researcher Mar0uane, about a vulnerability in one of the forums we maintain, relating to an account-takeover vulnerability affecting the software’s single-sign-on module.

In the report, Mar0uane outlined that it was possible to create a single-sign-on authorization code for his own user, then trick a different user into associating their account with that auth-code, via a Cross-Site Request (a CSRF). The following instructions to reproduce the issue were given:

  1. Create two accounts; A (Attacker) and B (Victim).
  2. Sign into the attacker account, and begin the process of enabling Google SSO.
  3. Intercept the request, and retrieve the URI similar to: https://forums.opera.com/auth/google/callback?code=XXXX
  4. In a new browser, logged in with the victim account, navigate to the intercepted URI.

After step #4, the victim’s account is associated with the SSO account from the attacker’s account – with no user interaction needed. This also means that a foreign website can embed a frame to this URI, resulting in a logged-in user (such as an administrator) unsuspectingly being compromised, without their knowledge.

This type of vulnerability is not new, nor overly complicated. OWASP outlines this type of issue, which should be standard for many pentesters. However, what is somewhat interesting about this specific vulnerability, is that NodeBB is forum software used by thousands of users around the world. For many companies – and individuals – performing such basic tests against software may be seen as a waste of time, due to the assumption that somebody, somewhere, will have already tested for this sort of vulnerability.

According to NodeBB’s developer, this report was not the first they had heard about this issue. In June of 2018, it was reported via their bug bounty program. However, the same issue was accidentally re-introduced when that part of the code was refactored in early 2021. Effectively, Mar0uane had reported a 0-day that to us that had been un-fixed just five months earlier – showing the power of the bug bounty system both via the original report in June of 2018, and in May 2021.

In the end the vulnerability was fixed. While we normally don’t pay-out for issues found in third-party code, an exception was made in this case, and both us and NodeBB, rewarded the reporter with some cash. Ultimately, this shows that when pentesting a website, it’s worth testing your assumptions.

Related news

GHSA-xmgg-fx9p-prq6: NodeBB account takeover via SSO plugins

_This is a historical security advisory, pertaining to a vulnerability that was reported, patched, and published in 2021. It is listed here for completeness and for CVE tracking purposes._ ### Impact Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out. This re-exposed a vulnerability in that a specially crafted MITM attack could theoretically take over another user account during the single sign-on process. ### Patches The issue has been fully patched as of v1.17.2. The patch commit can be found at https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4 ### Workarounds Site maintainers can cherry-pick https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4 into their codebase to patch the exploit. ### References * https://blogs.opera.com/security/2022/03/bug-bounty-advent...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907