CVE-2023-22487 in Flaruminfo

Summary

by MITRE • 01/11/2023

Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special `@""#p` syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post or not: A URL to the mentioned post is inserted into the actor post HTML, leaking its discussion ID and post number. The `mentionsPosts` relationship included in the `POST /api/posts` and `PATCH /api/posts/` JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions. An attacker only needs the ability to create new posts on the forum to exploit the vulnerability. This works even if new posts require approval. If they have the ability to edit posts, the attack can be performed even more discreetly by using a single post to scan any size of database and hiding the attack post content afterward. The attack allows the leaking of all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions like FriendsOfFlarum Byobu. This also includes non-comment posts like tag changes or renaming events. The discussion payload is not leaked but using the mention HTML payload it's possible to extract the discussion ID of all posts and combine all posts back together into their original discussions even if the discussion title remains unknown. All Flarum versions prior to 1.6.3 are affected. The vulnerability has been fixed and published as flarum/core v1.6.3. As a workaround, user can disable the mentions extension.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/01/2023

The vulnerability identified as CVE-2023-22487 affects Flarum forum software versions prior to 1.6.3, specifically targeting the flarum/mentions extension functionality. This issue represents a critical information disclosure vulnerability that undermines the platform's access control mechanisms and data protection measures. The flaw exists within the post mentions feature that allows users to reference other posts using the @""#p syntax, creating a pathway for unauthorized data exposure that bypasses normal permission controls.

The technical implementation of this vulnerability stems from inadequate access control validation within the JSON:API responses generated by the Flarum core. When users create posts containing mentions, the system includes a mentionsPosts relationship in both POST /api/posts and PATCH /api/posts/ responses that exposes the complete JSON:API payload of all referenced posts without any authorization checks. This means that any user capable of creating posts can access information that should be restricted based on their permissions, including content from posts awaiting approval, private discussions, and posts within restricted tags. The vulnerability operates at the API level and affects the core data retrieval mechanisms rather than client-side rendering issues.

The operational impact of this vulnerability is severe and comprehensive, as it enables attackers to systematically enumerate and extract all posts from a forum database regardless of their access permissions. The attack methodology allows for both overt and covert exploitation techniques, with the ability to scan entire databases by creating single posts that reference multiple other posts. Even when new posts require approval, the vulnerability remains exploitable because the access control check occurs at the API response level rather than during post creation. When attackers have edit permissions, they can conduct more discreet scans by hiding malicious post content after the initial data extraction, making detection more difficult.

This vulnerability directly maps to CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) categories, representing a failure in both information hiding and access control validation mechanisms. From an ATT&CK framework perspective, this vulnerability corresponds to T1005 (Data from Local System) and T1041 (Exfiltration Over C2 Channel) techniques, as it enables unauthorized data collection from the target system. The attack vector requires minimal privileges - only the ability to create posts - making it particularly dangerous as it can be exploited by users with basic forum membership rights. The vulnerability also demonstrates a lack of proper data filtering and authorization enforcement in the Flarum API response handling.

The exploitation process involves creating posts with mentions that trigger the API response containing full post payloads, allowing attackers to reconstruct complete forum databases including discussions that should remain private or restricted. The HTML representation of mentions provides enough metadata to extract discussion IDs, enabling reconstruction of the original forum structure even when discussion titles are not exposed. This comprehensive data leakage affects not just regular forum posts but also administrative events, tag changes, and other non-comment posts that may contain sensitive information. The vulnerability's persistence across all Flarum versions prior to 1.6.3 indicates a fundamental flaw in the core access control implementation that required a complete version update to resolve properly.

The fix implemented in Flarum core v1.6.3 addresses this by enforcing proper access control checks on the mentionsPosts relationship within API responses, ensuring that only posts accessible to the requesting user are included in the response. As a temporary workaround, administrators can disable the mentions extension entirely to prevent exploitation, though this removes a legitimate forum feature. The vulnerability serves as a critical reminder of the importance of implementing proper access control validation at all API response levels and demonstrates how seemingly minor features can create significant security risks when access control mechanisms are improperly implemented. Organizations using Flarum should urgently upgrade to version 1.6.3 or later to mitigate this vulnerability and ensure their forum data remains properly protected.

Responsible

GitHub, Inc.

Reservation

12/29/2022

Disclosure

01/11/2023

Moderation

accepted

CPE

ready

EPSS

0.00665

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!