Totaljs CMS 12.0 Improper Access Control

Totaljs CMS version 12.0 suffers from a broken access control on an API call.

MD5 | 1174a2d9a236e5d9d48612db561d2db1

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Broken Access Control on the API call

[+] Affected software: Totaljs CMS 12.0

[+] Description: An authenticated user with limited privileges can get
access to resource that did not own by calling the associated API.
The CMS manage correctly the privilege only for the front-end resource
path, but it does not the same for the API request. This lead to
vertical and horizontal privilege escalation.

[+] Step to reproduce:

1) create a user with any privileges (e.g. “Notices”).
2) log in with this user and browse to http://localhost:8000/admin/notices/
3) copy the __admin cookie that by default identify the session user
4) create a POST request in burp to the following path
/admin/api/pages/preview/ with body {"body":"","template":"default"}
5) you will get a 200 response back that means we can successfully used
an API call that we don’t have the privilege to use.

[+] Project link:

[+] Original report and details:

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist

Related Posts