Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2019-9921

Affected software

JE Messenger 1.2.2 Joomla Module by Harmis Technology.

What: Incorrect Access Control

Due to insufficient protection mechanisms, each user can read information from other users without access rights.

Meta

During the preparation of one of our incident response exercises, one of our CERT Members (Tobias Roggenhofer) detected an unexpected behavior of the Joomla Module JE Messenger of Harmis Technology in its current version (1.2.2). Due to this behavior, we started analyzing this module and detected several vulnerabilities.

We informed the software-vendor that we have detected vulnerabilities in their module. Sadly a secure communication to share the details could not be established.

Since we still want to disclose our findings in a responsible way, we only announced the type of vulnerability and the associated risk in the first step on the 2019-03-29. This gives the software vendor time to patch the plugin or user the time to move to another plugin or temporarily disable it. Since 2019-05-01 we've published more details including some payloads.

CVSS

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N : 7.7

Detailed description

It is possible to read any message from any other users, that hasn't been completely removed. In this example we have an message, that has been send from user2 to user3. Secret Message from user2 to user3

We are logged in as user1, but we are still able to read the message. Therefore we open up a message we already received. In this example we use a message we wrote to ourself. Message in the inbox of user1

Now we change the value of url parameter 'cid[0]'. In this example we have to change the value to 66 to read the message shown in the first picture as user1. The number 66 of this example must be guessed, but this is not very hard, because the message-ids are simple upcounting (even) numbers. So its easy to iterate over all existing messages, for example with a script. Message in the inbox of user1

Some of the ids will not show any message content. This means that the message with this message-id is not in the Inbox. But you can also look into the Outboxes (only odd numbers) and in the Trash folders by changing the value of the URL parameter 'folder' into 'Outbox' or into 'Trash'. If the message is in none of this folders, it has already been deleted.

Timeline

  • 2019-03-05: Contacted vendor, request for encrypted communication
  • 2019-03-06: Request from vendor to tell affected product (no encryption)
  • 2019-03-06: Provided Module-Name (no encryption)
  • 2019-03-06: Further contact with vendor, sadly still no encryption
  • 2019-03-13: Reminder, deadline set for 18th of March for a response (no encryption)
  • 2019-03-19: No response, reserving CVEs, planned release on 2019-04-01
  • 2019-03-22: MITRE informs us that 5 CVEs are reserved
  • 2019-03-29: Publishing basic information, informing MITRE and vendor
  • 2019-05-01: Publishing full vulnerability details