Page MenuHomeVulnz

All SAE support emails are visible to the public
VerifiedPublic

Description

Abstract

"Servei de l'Atenció a l'Estudiantat", a service of the Universitat de Barcelona, has a system which manages all the messages sent to them in the form of issues. Unfortunately, all the issues (including internal comments that UB employees have written in order to deal with the issues and that should not be visible even to the person who has contacted them) are visible to the public.

This is because a page which is used to display Frequently Asked Questions (FAQs) such as this one, can also be used to access any of the previously mentioned issues by changing the id in the URL.

Reproduction steps

  1. Open http://aris.ub.edu/MRcgiUB/WS/proj33/ensenyarDetall.pl?id={issue}&lg=cat, where {issue} is the ID for the issue you want to view (it doesn't matter whether you are logged in).

As an example, you can open http://aris.ub.edu/MRcgiUB/WS/proj33/ensenyarDetall.pl?id=34691&lg=cat, which is the message in which I sent a previous vulnerability report.

Severity of the vulnerability

This vulnerability allows access to all messages, which include personal information such as national identification numbers and the birthdays linked to the names of each person that has filled in the contact form, apart from the potential personal information or queries included in the message body and the internal comments made by UB employees. Because of this, I consider this vulnerability to be quite severe.

What should be done?

There may be different approaches to fix this vulnerability, but in any case, that page should only load FAQ content, not private messages sent to the SAE.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Details

Vendor
Universitat de Barcelona
Product
aris.ub.edu
Reported
Mar 18 2019, 12:47 AM
Deadline
90

Event Timeline

avm99963 triaged this task as Priority-1 priority.
avm99963 updated the task description. (Show Details)Mar 18 2019, 12:25 AM
avm99963 set Reported to Mar 18 2019, 12:47 AM.Mar 18 2019, 12:52 AM
avm99963 closed this task as Verified.Mar 19 2019, 6:26 PM

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Mar 19 2019, 6:26 PM