Listen to this Post
The vulnerability stems from an authorization inconsistency within the User management controller, specifically a “1-of-N” flaw where certain methods lack proper role verification . While the `store()` and `destroy()` methods correctly check for the ‘owner’ role, the `index()` and `show()` methods at `/api/v1/users` and `/api/v1/users/{id}` are accessible to any authenticated user. This occurs because the route group in `routes/api.php` lacks the necessary admin middleware, only applying the global `auth:api` middleware. Consequently, a standard user can enumerate all accounts via the UserTransformer, which exposes sensitive details like email addresses, roles (owner/demo), and account status (blocked/block reason), leading to a medium-severity information disclosure .
dailycve form:
Platform: Firefly III
Version: prior 5.8.0
Vulnerability : Incorrect Authorization
Severity: 6.5 Medium
date: 2023-01-18
Prediction: already patched
What Undercode Say:
Analytics:
The vulnerability is caused by missing authorization checks in API controllers, a common oversight in web development. The `index` and `show` methods, located at `UserController.php` lines 94 and 126, lack the role validation present in other methods like `store` and destroy. The route group at `routes/api.php:734-747` is only protected by auth:api, not an admin-specific middleware, allowing any authenticated user to query these endpoints.
Exploit:
List all users (enumerate emails and roles) curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users View details of a specific user by ID curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users/1
Protection:
Upgrade to Firefly III version 5.8.0 or later, where the patch implements proper role checks . As a temporary workaround, administrators can manually add middleware to the route group or inject ownership validation into the `index()` and `show()` methods as shown below.
Impact:
Any authenticated user can harvest all email addresses for phishing, identify high-privilege owner accounts for targeted attacks, and enumerate blocked accounts to understand internal security postures. This compromises user privacy and aids in social engineering campaigns.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

