Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#29558] - [4.0] Able to send private messages to any user id, including those with no access

?
avatar PhilETaylor
PhilETaylor
10 Jun 2020

Steps to reproduce the issue

Login to Joomla 4 admin as someone who can send private messages.

Easier to replicate as a super admin, but for bonus points login as a manager after allowing the manager level full access to private messaging but not users - this will result in them NOT getting a User Selector modal eg: #29548

Edit the HTML of the page to fake a user id to send to, for giggles choose a registered level user id (999 used in this example)

If using the manager level with no com_users access you need to inject this field into the DOM.

<input type="hidden" id="jform_user_id_to_id" name="jform[user_id_to]" value="999" class="field-user-input required" data-onchange="" required="">

for both manager and super admin, you also need to change the value of the custom element

from

<input type="text" id="jform_user_id_to" class="form-control field-user-input-name required form-control-danger invalid" value="" required="" readonly="" aria-invalid="true">

to

<input type="text" id="jform_user_id_to" class="form-control field-user-input-name required form-control-danger" value="999" required="" readonly="" aria-invalid="true">

compose a message and click Send

Expected result

Joomla doesn't send a message to a user that otherwise cannot be selected from a list of users in the modal, that list consisting of people that have ACL access to com_messages

Actual result

Joomla stores a message in the database, and alerts by email the registered user with id 999 that they have a new private message, that they now cannot access as they have no ACL for com_messages.

Additional comments

The only people that should be able to RECEIVE private messages should be those with permission to the com_messages, therefore Joomla should reject any other provided user id

Joomla DOES validate that the user with id 999 exists, but it doesn't check if they have permission to use private messaging

Probably a small Security issue... but it requires a super admin logged in, or a manager logged in with specific com_messages allowed ACL Im posting here. //@SniperSister

avatar PhilETaylor PhilETaylor - open - 10 Jun 2020
avatar joomla-cms-bot joomla-cms-bot - change - 10 Jun 2020
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 10 Jun 2020
avatar PhilETaylor
PhilETaylor - comment - 10 Jun 2020

#29545 (comment) Without changing who can see the user list, the quickest solution is to add com_users checks in com_messages so users without access to com_users don't even see new message button.

Just hiding the new button is not going to stop a faked request being made. There needs to be valid ACL checking also on sending.

avatar SharkyKZ SharkyKZ - close - 10 Jun 2020
avatar SharkyKZ
SharkyKZ - comment - 10 Jun 2020

Please test PR #29566.

avatar SharkyKZ SharkyKZ - change - 10 Jun 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-06-10 12:22:32
Closed_By SharkyKZ

Add a Comment

Login with GitHub to post a comment