Read/write access to mail folder names in Totemo mail (CVE-2020-7918)

We discovered an insecure direct object reference (IDOR) in Totemo webmail 7.0.0 while doing a pentest for a customer. It allows reading and writing the name of mail folders of other users. The vendor has been alerted and has provided a patch. More details below:

Totemomail webmail insecure direct reference on folder names CVE-2020-7918
==========================================================================

Summary
-------
Insecure direct object reference in the webmail module of Totemo totemomail
7.0.0 allows authenticated users to read and modify mail folder names of other
users via enumeration.

Details
-------
Totemomail offers a webmail interface for reading and writing e-mails. This
interface allows to create of mail folders. The name of the folders can be
edited whit a URL that contains a direct reference to the folder. The references
seem to be sequential. Through enumeration, an authenticated user can find
folders created by other users and see their names. The same URL can also be
used to change the name of the folder of the victim user.

The URL for editing a folder is the following

https://vulnerable/responsiveUI/webmail/folder.xhtml?folderId=123_45

If a folder exists with the given ID, the name of the folder will be
contained in the response, for example in the title of the HTML page. The page
has a form for modifying the name of the folder. The POST URL for saving the
name is

https://vulnerable/responsiveUI/webmail/folder.xhtml

with parameters

folderForm_firstname_input_text=ALL_YOUR_FOLDERS_ARE_BELONG_TO_US&
folderForm_j_id_34=&folderForm_SUBMIT=1&
javax.faces.ViewState=1atmi[...]IHw%3D%3D

Note that no folder id is given. It is probably recovered through the viewstate

Vulnerable versions:
--------------------
Tested on Totemo AG Totemomail v7.0.0 b617

Fixed version:
--------------
Totemomail v7.0.0 b618


History
-------

21.01.20 Discovery
22.01.20 Information of the vendor
22.01.20 Acknowledgement by vendor
02.02.20 Patch available
19.03.20 Publication of advisory

References
------
CVE: CVE-2020-7918
https://www.objectif-securite.ch/2020/03/20/IDOR-totemo-mail-folder.html