Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Broken Access Control

Description

A broken access control vulnerability in all Maarch RM versions allows anyone with access to the URLs ({url}/tmp/{MD5 hash of the document}) to retrieve documents of certain types depending on the configuration of the preview function (pdf, email, etc. depending on the configuration of the preview function)) present in the archives, in an unauthenticated way.

Information

  • CVE ID: CVE-2022-37774
  • Vulnerability Type: Broken Access Control
  • Vendor of Product: Maarch Xelians
  • Affected Product:
    • Maarch RM 2.8.X - all versions < 2.8.6
    • Maarch RM 2.9.X - all versions < 2.9.1
  • Affected Component: page: /tmp/{MD5 hash of the document}
  • Editor confirmed: Yes
  • Discoverer: François Mehault (francois.mehault -at- proton -dot- me)

References

Approximate Timeline

  • 2022/07/20: Vulnerabilities discovered
  • 2022/07/29: Vulnerabilities reported to the editor (Maarch Xelians)
  • 2022/08/31: Confirmation of vulnerability by the editor
  • 2022/10/18: Vendor issued an official fix (Maarch RM 2.8.6 and 2.9.1)

Technical details

Broken Access Control - Maarch RM All versions, {url}/tmp/{MD5 hash of the document}

  • Details : When accessing a document (pdf, email, etc.) from an archive, a preview is proposed by the application, depending on the configuration of the preview function. This preview generates a URL including an md5 hash of the file accessed. This URL is then accessible without authentication.
  • Privileges: No privilege required, the attacker just needs to know the URL (browser history, logs access).
  • Location example: http[s]://{url}/tmp/{MD5 hash of the document}