Generation of Error Message Containing Sensitive Information in microweber/microweber

Valid

Reported on

Feb 13th 2022


Description

Sensitive information as part of the error is getting disclosed while viewing comments from "load_module:comments#search="

Proof of Concept

  1. Login to https://demo.microweber.org
  2. Visit https://demo.microweber.org/demo/admin/view:modules/load_module:comments#search=
  3. Now enter anything in search= parameter you can see 500 internal error with sensitive information

Impact

This vulnerability is capable of leaking sensitive data of the system where the website is hosted

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
0x2374
2 years ago

Researcher


POC Video : https://drive.google.com/file/d/1iOYRykepd6_Knn0HNq5Lk0yW2pQprIiX/view?usp=sharing

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
0x2374
2 years ago

Researcher


Hello any update?

Bozhidar
2 years ago

Maintainer


https://github.com/microweber/microweber/commit/2417bd2eda2aa2868c1dad1abf62341f22bfc20a

We have sent a follow up to the microweber team. We will try again in 4 days. 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
0x2374 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 2417bd 2 years ago
Peter Ivanov has been awarded the fix bounty
search_content.php#L38-L53 has been validated
to join this conversation