vulnerability. The vulnerability can be triggered with a specially crafted token request. The authentication flow can be observed in the following diagram. The request flow ends up in the `admin` controller action and is validated against the secret `AdminPassword` before proceeding to the next step. If the request is validated, the user is redirected to the login page and the authentication is completed with the default credentials. However if the request fails validation, the controller action is unhandled and the request is passed on to the `AdminDisabledControllerAction` action. If the request is valid, the attack vector is through the `AdminControllerAction` action. This action is handled differently in version 1.4.0 and prior compared to version 2.2.9 and later. In version 1.4.0 and prior, this action is handled like any other action. In version 2.2.9 and later, it is handled like a Forbidden action. This means that the request fails validation and is turned into an unhandled Forbidden action. In the above diagram, if you notice on the redirection flow, the request is intercepted by the attack vector and redirected to the AdminDisabledControllerAction. Once the request reaches the action, it fails validation and is turned into an unhandled Forbidden action. This is equivalent to an unauthenticated Deny. In version 1.4.0 and prior, the request is handled like any other action and validated. In version 2.2.9 and later,

Vulnerability details

The vulnerability is located in the `AdminControllerAction` and the `AdminDisabledControllerAction` actions which are located in the admin controller. The attack vector for this vulnerability is through a token request. The exploitation of this vulnerability can be achieved by sending a specially crafted request to the `admin` controller. When the request fails validation, it is turned into an unhandled Forbidden action.

Timeline

Published on: 05/20/2022 15:15:00 UTC
Last modified on: 06/02/2022 15:26:00 UTC

References