Uploaded image for project: 'CMS'
  1. CMS
  2. CMS-10973

Unauthenticated information disclosure vulnerability report

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 4.5.0
    • None
    • None
    • Ametys 4.3.18
    • 4.5 RC2

    Description

      Hi,

      I found a vulnerability in the auto-completion plugin.

      The auto-completion plugin exposes an XML file containing all the words typed inside the posts both private and public. This file is exposed without authentication at :

      https://www.adomain.tld/plugins/web/service/search/auto-completion/adomain/en.xml

      It is possible for an attacker to extract the complete content of the xml file even with the limit set to 10 matching results using API scrapping techniques such as this one: https://podalirius.net/en/articles/scraping-search-apis-depth-first-style/

      The information present in this xml file can contain sensitive information such as passwords, IP addresses, usernames and emails. I successfully managed to get a list of valid usernames from this auto-completion XML file in one of my clients apps, without authentication.

      Fix: I think the auto-completion plugin should not expose this XML file at all, but if it does it should be at least protected by authentication.

      Best regards,

      Attachments

        Issue Links

          Activity

            People

              raphael Raphaël Franchet
              Podalirius Podalirius
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: