Discussion:
[oss-security] CVE-2018-12642: Incorrect Access Control of tickets in Froxlor <= 0.9.39.5
c***@chbi.eu
2018-09-19 17:36:40 UTC
Permalink
Hi,

I've discovered security issues in Froxlor <= 0.9.39.5
(https://www.froxlor.org)

An authenticated customer can read all messages of all support tickets
of every user by simply changing the "id".

It is also possible to add a new message, change the priority, close and
reopen a support ticket as another customer than the owner of the
support ticket.


Until now there is no corrected version of Froxlor available, because
the main developer has no spare time to release a new version nor to
inform users about the fixes for three months. It's also not foreseeable
when a corrected version will be released.

But Froxlor users can manually patch these issues by replacing
customer_tickets.php and lib/classes/ticket/class.ticket.php with the
corrected ones from
https://github.com/Froxlor/Froxlor/blob/436d141bd1c6f06a66b6d6e593d359afc3c2a80e/customer_tickets.php
and
https://github.com/Froxlor/Froxlor/blob/436d141bd1c6f06a66b6d6e593d359afc3c2a80e/lib/classes/ticket/class.ticket.php


I've decided to post about these security issues, because I think it is
better that Froxlor users know that fixes for security issues are
available, even if there is no corrected version released yet.


Fixes:
https://github.com/Froxlor/Froxlor/commit/aa881560cc996c38cbf8c20ee62854e27f72c73c
https://github.com/Froxlor/Froxlor/commit/436d141bd1c6f06a66b6d6e593d359afc3c2a80e


Timeline:
2018-06-19: Issues discovered and reported
2018-06-19: Issues confirmed and partial fixed
2018-06-21: Issues fixed; Response summarized: Developer needs a few
days for a new release
2018-07-12: Asked when developer plan to release a new version
2018-07-12: Response summarized: Developer wait until package builder is
available again
2018-08-20: Notified the developer about posting on 2018-09-19 to inform
Froxlor users
2018-08-21: Response summarized: Lack of understanding regarding a
posting. I should give users a chance to update. Developer has no spare
time to release a new version.
--
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8 DC20 BA7B 93F9 9037 AE7E
https://chbi.eu/chbi.asc
Loading...