You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have locally hosted PIWIK (2.14.3) on my machine and tested few modules of it. While going through an account I have observed that when user gets created, he/she gets on "token_auth" which is static for Life Time. (It doesn't expire after logout).
If in any way I get this token of account owner, I will have life time access of his/her account. I can fire any any request on owner's account whether its of creating user, deleting user, creating Email report or delete Email reports etc.
Note that, this vulnerability is present/tested on latest version of PIWIK and also on your "Cloud-hosted Piwik".
POC:
Login to account.
Create a user or create Email report and Capture that POST request.
Logout from account.
Modify and Replay request captured in step 2 and see success response.
Login into account and verify changes.
In fact, in step 4, you don't need a cookie to get success response. :D :D . You can fire that request without any valid/invalid cookie.
You only need user's "token_auth" and account name of account owner. And all you can own his account.
Recommendation:
Instead of using t
oken_auth, you should use Anti-CSRF token to verify each and every incoming request from users.
If you implement Anti-CSRF token in proper way, all such malicious requests will fail.
I have uploaded video POC and Sample requests on dropbox. In this Video-POC, I have created and deleted "Email Reports" after logout. In such a way, you can create users or delete user or can do any operations.
If password gets compromised, a user can change the password.
But once 'token_auth' gets compromised, a user won't be able to change it. Its a static token which will remain same for entire life of a user account.
If anyhow attacker gets this token of a any user then that user will remain vulnerable forever.
And here, attacker only need 'token_auth' for performing all operations on user's behalf. Attacker doesn't require username or password of a user.
But once 'token_auth' gets compromised, a user won't be able to change it. Its a static token which will remain same for entire life of a user account.
Hi Team,
I have locally hosted PIWIK (2.14.3) on my machine and tested few modules of it. While going through an account I have observed that when user gets created, he/she gets on "token_auth" which is static for Life Time. (It doesn't expire after logout).
If in any way I get this token of account owner, I will have life time access of his/her account. I can fire any any request on owner's account whether its of creating user, deleting user, creating Email report or delete Email reports etc.
Note that, this vulnerability is present/tested on latest version of PIWIK and also on your "Cloud-hosted Piwik".
POC:
In fact, in step 4, you don't need a cookie to get success response. :D :D . You can fire that request without any valid/invalid cookie.
You only need user's "token_auth" and account name of account owner. And all you can own his account.
Recommendation:
Instead of using t
oken_auth, you should use Anti-CSRF token to verify each and every incoming request from users.
If you implement Anti-CSRF token in proper way, all such malicious requests will fail.
I have uploaded video POC and Sample requests on dropbox. In this Video-POC, I have created and deleted "Email Reports" after logout. In such a way, you can create users or delete user or can do any operations.
Download Link:
https://www.dropbox.com/s/f3jbb6k3z2ku374/Create%20and%20Delete%20Email%20Report%20-%20PIWIK.zip?dl=1
Request you to please check the same and let me know if anything is needed.
Thanks,
Tushar
The text was updated successfully, but these errors were encountered: