Broken Access Control
Description
A broken access control vulnerability in all Maarch RM versions allows anyone with access to the URLs ({url}/tmp/{MD5 hash of the document}) to retrieve documents of certain types depending on the configuration of the preview function (pdf, email, etc. depending on the configuration of the preview function)) present in the archives, in an unauthenticated way.
Information
- CVE ID: CVE-2022-37774
- Vulnerability Type: Broken Access Control
- Vendor of Product: Maarch Xelians
- Affected Product:
- Maarch RM 2.8.X - all versions < 2.8.6
- Maarch RM 2.9.X - all versions < 2.9.1
- Affected Component: page: /tmp/{MD5 hash of the document}
- Editor confirmed: Yes
- Discoverer: François Mehault (francois.mehault -at- proton -dot- me)
References
- Advisory: https://github.com/frame84/vulns
- CVE: CVE-2022-37774
- Product site: https://maarch.ovh/maarch-rm/
- Release advisories:
- ExploitDB: NA
Approximate Timeline
- 2022/07/20: Vulnerabilities discovered
- 2022/07/29: Vulnerabilities reported to the editor (Maarch Xelians)
- 2022/08/31: Confirmation of vulnerability by the editor
- 2022/10/18: Vendor issued an official fix (Maarch RM 2.8.6 and 2.9.1)
Technical details
Broken Access Control - Maarch RM All versions, {url}/tmp/{MD5 hash of the document}
- Details : When accessing a document (pdf, email, etc.) from an archive, a preview is proposed by the application, depending on the configuration of the preview function. This preview generates a URL including an md5 hash of the file accessed. This URL is then accessible without authentication.
- Privileges: No privilege required, the attacker just needs to know the URL (browser history, logs access).
- Location example: http[s]://{url}/tmp/{MD5 hash of the document}