Bhima 1.27.0 - Account Takeover via IDOR

Summary

Vulnerability

Description

Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.

Vulnerability

This vulnerability occurs because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.

Evidence of exploitation

A user with generic permissions can update the administrator session data through an IDOR.

A user with generic permissions can update the administrator password through an IDOR.

Here we can see that from the front end we cannot access any administrative interface to update user data (the administrator in our case).

However, this functionality is only hidden. If we send the request to update this data from an account with general permissions, we will not be stopped for lack of permissions.

This way we will be able to compromise any registered account from a general account (without administrator permissions clearly).

Our security policy

We have reserved the ID CVE-2023-0944 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: Bhima 1.27.0

• Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/IMA-WorldHealth/bhima/

Timeline