During a Dynamic Application Security Test (DAST) in 2016, OpenSky identified a previously unknown security vulnerability (0-day) in FLEXIcontent v3.0.13 (http://www.flexicontent.org), a popular open source plugin for the Joomla! Content management System (CMS). OpenSky notified the author of the plugin and the vulnerability was fixed in version 3.1.1.
Note: Previous versions may be affected
CWE-863 Description: “The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.”
The FLEXIcontent plugin uses a query string parameter, task, which specifies the action to perform on a FLEXIcontent article. If an unauthenticated actor provides any value other than edit or a blank value to the task parameter, the actor is able to view the restricted FLEXIcontent article, regardless of the assigned permissions. Articles are sequentially numbered, which would allow an actor exploiting this vulnerability to gain read-only access to all FLEXIcontent articles by iterating through article identifiers.
Proof of Concept
Since this was discovered during a client engagement, OpenSKy has recreated the vulnerable environment so that OpenSky can share the vulnerability without disclosing any client specific information.
Navigating to the following URL will only allow someone to edit article 6 if they are authorized to do so. In our demo, article 6 is only accessible by super users. Anyone who is not a super user will receive an error and is redirected to the login page:
An attacker can gain unauthorized, unauthenticated read only access to the protected resource by changing the value of the task parameter to anything other than edit or a blank value, as shown below:
An attacker can also remove the categorization and article labels and access the content with just the sequential article numbers. This is useful to enumerate all protected content:
The following URL format also works, and is needed if Search Engine Friendly (SEF) URLs are disabled: http://host/index.php?option=com_flexicontent&view=item&id=6&task=abcd
Upgrade to flexicontent-cck-3.1.1 or greater
2016-09-28: Notified FLEXIcontent author of vulnerability.
2016-09-28: FLEXIcontent author acknowledges vulnerability and confirms it will be fixed.
2016-10-31: FLEXIcontent v3.1.1 is released and silently fixes vulnerability.
2016-11-30: Researcher tests v3.1.1 and determines vulnerability has been fixed.
2016-01-31: Researcher asks the author to mention the security issue in release notes (no response).
2017-03-06: Public disclosure