_CVE-2023-38872: Gugoan Economizzer IDOR (Insecure Direct Object Reference) vulnerability in financial management web application allows unauthorized and unauthenticated access to other user's cash book entry attachments (commit 373088 - April, 2023 and v.9-beta1)_

Description

In recent April 2023, a serious Insecure Direct Object Reference (IDOR) vulnerability has been discovered in gugoan Economizzer - a popular financial management web application. The security loophole allows any unauthenticated attacker to access cash book entry attachments that belong to other users in the system. The vulnerability affects commit 373088 (April, 2023) and v..9-beta1 of the gugoan Economizzer.

To exploit this binary weakness, an attacker only needs to know the Id of the targeted attachment. Currently, the exploitation doesn't seem to require any form of authentication, posing a greater threat to the privacy of Economizzer users. In this post, we will examine the details, code snippet, original references, and exploit details of this security bug.

Original References

- National Vulnerability Database (NVD): CVE-2023-38872
- Gugoan Economizzer Repository on GitHub: commit 373088

Code Snippet with Vulnerability

public function action_attach($id_attach)
{
    $attach = Attachment::findOne($id_attach);
    if ($attach !== null) {
        $user_id = Yii::$app->user->identity->id;
        $cashbook_data = Cashbook::find()->byUser($user_id)->byAttach($id_attach)->one();
        if ($cashbook_data !== null) {
            $path = Yii::$app->basePath . "/web/uploads/" . $cashbook_data->id_user . "/";
            return Yii::$app->response->sendFile($path . $attach->filename);
        }
    } else {
        throw new NotFoundHttpException("The requested page does not exist.");
    }
}

This specific code snippet demonstrates how the application retrieves the attachment requested by the user in the action_attach() function. The vulnerability lies in the implementation of the function, allowing the insecure direct object reference. As depicted in the code above, there's no proper authorization that mandates the requestor to be the owner of the requested attachment.

Exploit Details

To exploit this IDOR vulnerability, the attacker needs to send a GET request to the following vulnerable URL by simply changing the 'id_attach' parameter in the URL such as:

http://[economizzer_domain]/cashbook/attach?id_attach=[any_attachment_id]

By visiting this URL with a valid attachment Id, the attacker can bypass the inadequate authorization controls & access any user's cash book entry attachment.

Recommendation & Mitigation

Until a patch is released for this vulnerability, it is highly recommended to implement a proper authorization control in the action_attach() function. The authorization control should verify if the authenticated user requesting the attachment is the actual owner of the attachment. This can be done by integrating additional checks to confirm the ownership of the attachment using user_id.

Stay cautious and keep your gugoan Economizzer installations updated. Following security best practices and adhering to the principle of least privilege can thwart such vulnerabilities and prevent unauthorized access to different users' data.

Timeline

Published on: 09/28/2023 04:15:12 UTC
Last modified on: 10/03/2023 00:13:23 UTC