29 Mar

Authenticated Document Modification Vulnerability in BP Group Documents

One of the changelog entries for version 1.10 of the plugin BP Group Documents is “Security fixes “. Looking at the changes made in that version there is code added that checks if a user has permission to edit a document before allowing additional code to run. That seemed very similar to a change made in another BuddyPress plugin, BuddyPress Docs, that we detailed last week and at first we thought the same issue was fixed in this plugin. But upon a closer look we found that the change was to code that did something else and the issue of a user being able to edit documents they shouldn’t existed in the current of this plugin. We notified the developer and less than day later version 1.11 was released, which fixes the vulnerability.

As of version 1.10 the function do_post_logic(), in the file /include/templatetags.php, the only check done before saving changes to a document is to see if there is a valid nonce, which prevents cross-site request forgery (CSRF), included with the request:

79
80
81
82
83
84
85
86
private function do_post_logic() {
    $bp = buddypress();
    if ( isset($_POST['bp_group_documents_operation']) ) {
        $nonce = $_POST['bp_group_document_save'];
        if ( (!isset($nonce)) || (!wp_verify_nonce($nonce , 'bp_group_document_save_' . $_POST['bp_group_documents_operation'])) ) {
            bp_core_add_message(__('There was a security problem' , 'bp-group-documents') , 'error');
            return false;
        }

As long as a user had the ability to edit one document they would have had access to a valid nonce and so they could edit any other document:

In version 1.11 before the code to save changes to a document runs a check to make sure the user can edit that document occurs:

127
if ( $document->current_user_can('edit') ) {

Proof of Concept

When logged in and on the page to edit a document use your web browser’s developer tools to find the line that looks like this:

<input name="bp_group_documents_id" value="2" type="hidden">

Change the value in that to a document ID for a document you are not supposed to be allowed to edit and save the document, the information from the document you are editing will now be set to the document you are supposed to be allowed to edit as well.

Timeline

  • March 28, 2017 – Developer notified.
  • March 29, 2017 – Version 1.11 released, which fixes vulnerability.

Concerned About The Security of The Plugins You Use?

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *