Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3967: Improper Access Control in zulip

Improper Access Control in GitHub repository zulip/zulip prior to 4.10.

CVE
#csrf#windows#google#js#git#java#auth#firefox

Description

According to the current design of the application, when the user wants to get value of api_key, API /json/fetch_api_key will require password to authentication. However, the application exists another API routed at /json/users/me/api_key/regenerate that allows regenerating api_key value and doesn’t requiring password authentication. Attacker who gets the user’s valid session can call vulnerable API to extract the api_key value without user’s password.

Proof of Concept****I’m using online service at https://testingnnnn.zulipchat.com.

  • Step 1: Login as normal user, go to https://testingnnnn.zulipchat.com/#settings/account-and-privacy, click "Show/change your API key", application will ask for password to perform the action.

  • Step 2: In current session, call this request to regenerate and get value of api_key

    POST /json/users/me/api_key/regenerate HTTP/2 Host: testingnnnn.zulipchat.com Cookie: [YOUR_VALID_COOKIE] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Csrftoken: [VALID_CSRF_TOKEN] X-Requested-With: XMLHttpRequest Referer: https://testingnnnn.zulipchat.com/ Connection: close

  • PoC:

Show api_key: https://drive.google.com/file/d/1_A7KQeoyByA3xYwIyJ1k9ZTywabwlEMM

Regenerate api_key: https://drive.google.com/file/d/1Ob96FTju4irz2Hn2sXBXz_JtMlEAmAp0

Impact

Bypass the protection mechanism in the design of the application. Attackers can get the api_key value without knowing user’s password.

Related news

CVE-2022-42984: GitHub - nhiephon/Research

WoWonder Social Network Platform 4.1.4 was discovered to contain a SQL injection vulnerability via the offset parameter at requests.php?f=search&s=recipients.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907