Abstract

"Servei de l'Atenció a l'Estudiantat", a service of the Universitat de Barcelona, has a system which manages all the messages sent to them in the form of issues. Unfortunately, all the issues (including internal comments that UB employees have written in order to deal with the issues and that should not be visible even to the person who has contacted them) are visible to the public.

This is because a page which is used to display Frequently Asked Questions (FAQs) such as this one, can also be used to access any of the previously mentioned issues by changing the id in the URL.

Reproduction steps

1. Open http://aris.ub.edu/MRcgiUB/WS/proj33/ensenyarDetall.pl?id={issue}&lg=cat, where {issue} is the ID for the issue you want to view (it doesn't matter whether you are logged in).

As an example, you can open http://aris.ub.edu/MRcgiUB/WS/proj33/ensenyarDetall.pl?id=34691&lg=cat, which is the message in which I sent a previous vulnerability report.

Severity of the vulnerability

This vulnerability allows access to all messages, which include personal information such as national identification numbers and the birthdays linked to the names of each person that has filled in the contact form, apart from the potential personal information or queries included in the message body and the internal comments made by UB employees. Because of this, I consider this vulnerability to be quite severe.

What should be done?

There may be different approaches to fix this vulnerability, but in any case, that page should only load FAQ content, not private messages sent to the SAE.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.