Flarum is a popular discussion platform used for creating forums and managing online communities. Recently, the software was found to have a critical security issue (CVE-2023-22489) that could allow unauthorized users to post replies on locked discussions, or discussions with limited reply access. This vulnerability could lead to uncontrolled spam on the platform, and could potentially be used to send unsolicited emails. In this post, we will discuss the details of the vulnerability, the affected versions, and the recommended steps for mitigation.

Vulnerability Details

The issue in Flarum stems from an inadequate access control system. When the first post of a discussion is permanently deleted without removing the entire discussion, the first_post_id attribute becomes null, leading to a bypass in access control for any new replies. This means that even users without validated email addresses could create new replies using the REST API.

However, guests cannot exploit this vulnerability as the API would return a 500 error upon inserting user ID  into the database. Furthermore, the discussion needs to have at least one approved reply to remain visible, which means that the discussions.comment_count value should be above zero after the first post deletion.

Here's a code snippet that demonstrates the issue

if (discussion.first_post_id == null) {
    // Access control is skipped
    allowReply = true;
} else {
    // Normal access control checks
}

Affected Versions

The vulnerability affects Flarum versions between v1.3. and v1.6.3, as per the official CVE record.

Solution and Mitigation

The Flarum development team has fixed the issue in the software and released a security patch with version flarum/core v1.6.3. Communities running Flarum should upgrade to this version as soon as possible. Check the Flarum GitHub repository for detailed information on the release and instructions for upgrading.

Official References

1. CVE-2023-22489 Record on MITRE
2. Flarum GitHub Repository

There are no known workarounds for this vulnerability, which means that upgrading to the latest version is essential for maintaining the security of Flarum installations. By updating the software, community admins can ensure that their forums are protected against potential spam and unsolicited emails that might result from unauthorized users taking advantage of this access control bypass vulnerability.

Timeline

Published on: 01/13/2023 19:15:00 UTC
Last modified on: 01/23/2023 17:55:00 UTC