Article

Marmind Authorization Bypass

An Authorization Bypass vulnerability in the Marmind web application with version 4.1.141.0 allows users with lower privileges to gain control to files uploaded by administrative users. The accessed files were not visible by the low privileged users in the web GUI. The vulnerability was reported as CVE-2020-26506.

Background

We discovered a security issue within the Marmind web application with version 4.1.141.0. It is a software that combines campaigns, budgets and results into one central marketing plan. An attacker that has access to the network or a disgruntled employee can access files, which should not be available to the assigned roles that they have.

Steps to Reproduce

Upon creating a new campaign, an administrative user is able to upload new files in the part “Assets” of the web application. Users with adequate permissions could download all the existing assets from a specific campaign. After successful navigation to the URL of the asset from the campaign that is targeted, the user without privileges gets a HTTP response that the access to the asset has been denied. However, even though the user is not authorized to access the asset, a successful download has been automatically started and the file has been downloaded to the computer of the user.

The following pictures show how we are able to exploit the vulnerability:
 

Accessible campaigns by the user “GADMINE”

Assets visible in the "testest" campaign

Users included to the “testtest” campaign that are privileged to see its assets

User “SADMINE” is not privileged to access the “testtest” campaign and its assets

Unauthorized download of asset from campaign of an administrative user

Root Cause

This issue exists due to broken access controls of the web application. In order to mitigate the issue, we recommend that the server should verify whether the given user has the necessary privileges before performing any actions. The verification should be done with the help of the server side session (identified by the session token sent by the client).

Fix/ Producer Statement

The issue was reported to Marmind. The identified business threat was evaluated and a fix has been implemented.

In the current version 4.1.146.0, general changes have been made in providing binary data through the API of Marmind. In the previous versions of Marmind, the binaries were directly accessed over a reverse proxy hosted in the dedicated Media Asset Management Service, which has no user authorization functionalities. The direct routes to the Media Asset Management Service are now removed and a new API gateway has been implemented that ensures proper authorization checks upon a request to a specific application’s asset.

Credit

Credit for finding and reporting the issue:
• Evgeni Sabev (Deloitte)