Flarum is a popular forum software for building online communities. Recently, a vulnerability has been discovered (CVE-2023-22487) that could lead to information leakage through the mentions feature provided by the flarum/mentions extension. In this article, we will discuss the details of this vulnerability, possible methods of exploiting it, and how to mitigate or fix the issue.

Overview of the Vulnerability

The vulnerability exists due to improper access control of the 'mentionsPosts' relationship in the JSON:API responses of POST /api/posts and PATCH /api/posts/<id> endpoints. An attacker can exploit this vulnerability to leak sensitive information, such as post content, date, number, and other attributes added by extensions, without any access control. This affects all Flarum versions prior to 1.6.3.

Exploiting the Vulnerability

To exploit the vulnerability, an attacker needs the ability to create new posts on the forum, even if the posts require approval. If the attacker can edit posts, the attack can be performed more discreetly by using a single post to scan the database and hiding the attack post content afterward. By mentioning any post ID on the forum with the syntax @"<username>"#p<id>, the attacker can obtain a URL to the mentioned post and extract sensitive information through the mentionsPosts relationship.

In addition to leaking content, the attack can also reveal posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions, such as FriendsOfFlarum Byobu. Although the discussion payload is not leaked, it is possible to extract the discussion ID of all posts and combine them back into their original discussions, albeit without knowing the discussion titles.

Mitigating the Vulnerability

The vulnerability has been fixed in Flarum version 1.6.3, and users are advised to update their forum software to the latest version. The patch is available as flarum/core v1.6.3, and users can download it from the official Flarum repository. You can find more information about the patch in the official release notes linked below:

Flarum Release Notes v1.6.3

As a temporary workaround, users can disable the mentions extension until they have updated their forum software to the fixed version. This will prevent users from exploiting the vulnerability through the mentions feature.

In conclusion, it is essential to keep your forum software up-to-date to prevent vulnerabilities like CVE-2023-22487 from being exploited. If you are running an older version of Flarum, consider updating to the latest version as soon as possible to ensure your community remains safe and secure.

Timeline

Published on: 01/11/2023 20:15:00 UTC
Last modified on: 01/19/2023 16:26:00 UTC