New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An unauthenticated visitor can access a path like .../settings/userexport #10110
Comments
Thanks, I need to move this module to the new folder system, I'll take of this in the same effort. |
Do you think this could be a security issue? I am thinking of some URL parameter forgery. |
No, the feature still requires a valid authentication cookie even if the route is accessible to non-logged users. |
I just got the CVE number CVE-2021-30141 for this issue. |
Post-mortem: After investigation this security vulnerability proved to be less harmful than initially feared. Accessing the user export as an anonymous user enabled to export data with
Given the size of the result set for the two latter tables on most nodes, the requested fraudulent export for contacts and all data is likely to fail by hitting the PHP memory limit on the node's server anyway. So, a big scare, but nothing serious in the end. Thanks to @AlfredSK for the initial report and @urbalazs for the escalation even if it didn't prove harmful. |
Thank you for the update and for the details about the issue. |
Bug Description
I saw some weird and suspicious lines in the PHP error log. On the Friendica forum node there are no user accounts I don't own. But still, the errors indicated that someone was trying to export a user account. So I checked if I can access the userexport path in a private browser window. Yep. I can.
Well, the export doesn't work because the system doesn't know which user account to export when the visitor is clicking on the link "export account". But this really looks like a dangerous habit to allow the access to that page for unauthenticated visitors.
From the PHP log:
Steps to Reproduce
.../settings/userexport
in a private browser window (unauthenticated access)Actual Result:
Expected Result:
Access denied error page.
Platform Info
Friendica Version:
2021.03-rc
Friendica Source:
git
PHP version:
7.4
SQL version:
MariaDB 10.3
The text was updated successfully, but these errors were encountered: