Lecture et modification des noms de dossiers dans Totemo mail (CVE-2020-7918)

Nous avons découvert une référence directe sur les dossiers de la messagerie sécurisée Totemo webmail 7.0.0. Elle permet de lire et de modifier le nom des dossiers des autres utilisateurs. L’éditeur a été averti et la faille a été corrigée. Plus de détails ci-dessous:

Totemomail webmail insecure direct reference on folder names CVE-2020-7918
==========================================================================

Summary
-------
Insecure direct object reference in the webmail module of Totemo totemomail
7.0.0 allows authenticated users to read and modify mail folder names of other
users via enumeration.

Details
-------
Totemomail offers a webmail interface for reading and writing e-mails. This
interface allows to create of mail folders. The name of the folders can be
edited whit a URL that contains a direct reference to the folder. The references
seem to be sequential. Through enumeration, an authenticated user can find
folders created by other users and see their names. The same URL can also be
used to change the name of the folder of the victim user.

The URL for editing a folder is the following

https://vulnerable/responsiveUI/webmail/folder.xhtml?folderId=123_45

If a folder exists with the given ID, the name of the folder will be
contained in the response, for example in the title of the HTML page. The page
has a form for modifying the name of the folder. The POST URL for saving the
name is

https://vulnerable/responsiveUI/webmail/folder.xhtml

with parameters

folderForm_firstname_input_text=ALL_YOUR_FOLDERS_ARE_BELONG_TO_US&
folderForm_j_id_34=&folderForm_SUBMIT=1&
javax.faces.ViewState=1atmi[...]IHw%3D%3D

Note that no folder id is given. It is probably recovered through the viewstate

Vulnerable versions:
--------------------
Tested on Totemo AG Totemomail v7.0.0 b617

Fixed version:
--------------
Totemomail v7.0.0 b618


History
-------

21.01.20 Discovery
22.01.20 Information of the vendor
22.01.20 Acknowledgement by vendor
02.02.20 Patch available
19.03.20 Publication of advisory

References
------
CVE: CVE-2020-7918
https://www.objectif-securite.ch/2020/03/20/IDOR-totemo-mail-folder.html