Bhima 1.27.0 - Account Takeover via IDOR
Summary
Name | Bhima 1.27.0 - Account Takeover via IDOR |
Code name | |
Product | Bhima |
Affected versions | Version 1.27.0 |
State | Public |
Release date | 2023-04-10 |
Vulnerability
Kind | Insecure object reference |
Rule | |
Remote | Yes |
CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
CVSSv3.1 Base Score | 7.6 |
Exploit available | No |
CVE ID(s) |
Description
Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.
Vulnerability
This vulnerability occurs because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.
Evidence of exploitation
A user with generic permissions can update the administrator session data through an IDOR.
A user with generic permissions can update the administrator password through an IDOR.
Here we can see that from the front end we cannot access any administrative interface to update user data (the administrator in our case).
However, this functionality is only hidden. If we send the request to update this data from an account with general permissions, we will not be stopped for lack of permissions.
This way we will be able to compromise any registered account from a general account (without administrator permissions clearly).
Our security policy
We have reserved the ID CVE-2023-0944 to refer to this issue from now on.
System Information
-
Version: Bhima 1.27.0
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/IMA-WorldHealth/bhima/
Timeline
2023-02-21
Vulnerability discovered.
2023-02-21
Vendor contacted.
2023-02-21
Vendor replied acknowledging the report.
2023-04-10
Public Disclosure.