Broken Access Control on Private Message Function in admidio/admidio
Jun 29th 2023
There is 2 issues I found in one function.
A = admin B = user1 C = attacker.
A send private message to B with subject "testing". B or C can change the subject, this will disturb Integrity of the messages as long as they know the UUID messages.
Scenario 2: A send private message to B. (e.g msg_uuid=1234) C can read all the convo between A and B, as long as C know the UUID messages.
Proof of Concept
Scenario 1: when B wanna reply the message from A, intercept the request and B modify the value of parameter msg_subject to anything, then the subject that A make gonna changed.
Scenario 2: C wanna try to reply any Private message from A. (e.g msg_uuid=1111) he then intercept the request, and replace the value of parameter msg_uuid 1111 to 1234 (the msg_uuid of A and B convo). C will able to read all the convo between A and B. when C choose send the request to A, then B will be lost access to his convo between him and A. also the message that B wrote on that messages will be change to A name .
lost of CIA for private messages modules.