Bhima 1.27.0 - Account Takeover via IDOR

Summary

NameBhima 1.27.0 - Account Takeover via IDOR
Code name
ProductBhima
Affected versionsVersion 1.27.0
StatePublic
Release date2023-04-10

Vulnerability

KindInsecure object reference
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
CVSSv3.1 Base Score7.6
Exploit availableNo
CVE ID(s)

Description

Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.

Vulnerability

This vulnerability occurs because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.

Evidence of exploitation

A user with generic permissions can update the administrator session data through an IDOR.

idor-change-info

A user with generic permissions can update the administrator password through an IDOR.

idor-change-password

Here we can see that from the front end we cannot access any administrative interface to update user data (the administrator in our case).

However, this functionality is only hidden. If we send the request to update this data from an account with general permissions, we will not be stopped for lack of permissions.

This way we will be able to compromise any registered account from a general account (without administrator permissions clearly).

ato-bhima

Our security policy

We have reserved the ID CVE-2023-0944 to refer to this issue from now on.

System Information

  • Version: Bhima 1.27.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/IMA-WorldHealth/bhima/

Timeline

Time-lapse-logo

2023-02-21

Vulnerability discovered.

Time-lapse-logo

2023-02-21

Vendor contacted.

Time-lapse-logo

2023-02-21

Vendor replied acknowledging the report.

Time-lapse-logo

2023-04-10

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.