PopRestStore:loginFB(possible security hole)

Technical Discussion
1 
wget --header "Content-Type: application/json" --debug -O /dev/null --method 'POST' https://demo.moqui.org/rest/s1/pop/loginFB --body-data='{"firstName":"Adam","lastName":"Heath","email":"adam@brainfood.com"}'

[{
  "errorCode" : 400,
  "errors" : "startup failed:\npopstore_CustomerServices_loginFB_Customer: 10: unable to resolve class com.restfb.types.User\n @ line 10, column 17.\n        Skipping 306 bytes of body: [           import com.restfb.types.User\n                   ^\n\npopstore_CustomerServices_loginFB_Customer: 11: unable to resolve class com.restfb.exception.FacebookException\n @ line 11, column 17.\n                   import com.restfb.exception.FacebookException\n                   ^\n\n2 errors\n\n"
}]

It seems that PopRestStore is missing a required java library. Additionally, I’m concerned about this REST service, it seems like a security hole, allowing anyone to log in with any new or existing email address(as listed in UserAccount); there is no validation at all.

4

There’s a security vulnerability in the PopRestStore component in the loginFB rest endpoint which allows admin access if you have an admin email address.

The fix is here: Remove loginFB endpoint by acetousk · Pull Request #69 · moqui/PopRestStore · GitHub

Please update your servers as required.

The quick fix for this is to go into resource finder and

  1. comment out lines PopRestStore/pop.rest.xml at d19b0dcbb66198a4ba7a875466234b1941709eef · moqui/PopRestStore · GitHub 32 and 33.
  2. Then clear all artifacts in the Cache Mgmt screen.
  3. Patch the PopRestStore code on your next update with the latest code.

To check if it has been exploited in the last 3 months:

  1. Search for "s1/pop/loginFB" in the log viewer screen
  2. Search for %loginFB in the Artifact Bin in the artifact hit bin screen

Note:
If you have the latest code as of yesterday, then there should be an exception error thrown because the com.restfb.exception.FacebookException isn’t in the build.gradle file, but if that problem has been fixed then this vulnerability is probably there.

The way to test this is replace demo.moqui.org with your website and adam@brainfood.com with several different valid admin accounts:

wget --header "Content-Type: application/json" --debug -O --method 'POST' https://demo.moqui.org/rest/s1/pop/loginFB --body-data='{"firstName":"Adam","lastName":"Heath","email":"adam@brainfood.com"}'
1 Like