Uploaded image for project: 'CMS'
  1. CMS
  2. CMS-10973

Unauthenticated information disclosure vulnerability report

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 4.5.0
    • None
    • None
    • None
    • Ametys 4.3.18
    • 4.5 RC2

      Hi,

      I found a vulnerability in the auto-completion plugin.

      The auto-completion plugin exposes an XML file containing all the words typed inside the posts both private and public. This file is exposed without authentication at :

      https://www.adomain.tld/plugins/web/service/search/auto-completion/adomain/en.xml

      It is possible for an attacker to extract the complete content of the xml file even with the limit set to 10 matching results using API scrapping techniques such as this one: https://podalirius.net/en/articles/scraping-search-apis-depth-first-style/

      The information present in this xml file can contain sensitive information such as passwords, IP addresses, usernames and emails. I successfully managed to get a list of valid usernames from this auto-completion XML file in one of my clients apps, without authentication.

      Fix: I think the auto-completion plugin should not expose this XML file at all, but if it does it should be at least protected by authentication.

      Best regards,

            raphael Raphaël Franchet
            Podalirius Podalirius
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: