Missing Authentication in Feehi CMS REST API

Executive Summary

The vulnerability exists in Feehi CMS version 2.1.1 within the REST API endpoints related to articles (/articles and /articles/{id}). These endpoints allow unauthenticated attackers to perform full CRUD (Create, Read, Update, Delete) operations on articles without any authentication.

This means an attacker can read all articles, including unpublished drafts that may contain sensitive information, modify existing articles, or delete any article. The root cause is missing authentication checks on these API endpoints.

The issue was reported with proof-of-concept examples and the recommended fix is to implement proper authentication mechanisms, such as CompositeAuth, similar to other secured controllers in the system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts including unauthorized disclosure, modification, and deletion of content within the Feehi CMS.

• Attackers can access sensitive unpublished drafts, leading to potential information leaks.
• Attackers can modify existing articles, potentially injecting malicious or misleading content.
• Attackers can delete articles, causing data loss and disruption of service.

Since the attack can be performed remotely without authentication, it poses a high risk to the integrity and confidentiality of the content managed by Feehi CMS.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the REST API endpoints /api/articles and /api/articles/{id} for unauthorized access. Specifically, you can attempt to perform GET, POST, PUT, and DELETE requests without authentication to see if the system allows these operations.

Suggested commands using curl to test for the vulnerability include:

• curl -X GET http://yourserver/api/articles
• curl -X POST http://yourserver/api/articles -d '{"title":"test"}' -H 'Content-Type: application/json'
• curl -X PUT http://yourserver/api/articles/{id} -d '{"title":"updated title"}' -H 'Content-Type: application/json'
• curl -X DELETE http://yourserver/api/articles/{id}

If these commands succeed without authentication, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to implement proper authentication on the /api/articles REST API endpoints to prevent unauthenticated access.

Specifically, modify the ArticleController to require authentication, for example by using CompositeAuth, similar to the security measures applied in the UserController.

Until a patch or update is available, consider restricting access to the API endpoints via network controls such as firewall rules or IP whitelisting to limit exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Feehi CMS allows unauthenticated attackers to perform full CRUD operations on articles via exposed REST API endpoints without authentication.

This unauthorized access can lead to exposure, modification, or deletion of sensitive information, including unpublished drafts.

Such exposure and manipulation of sensitive data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, this vulnerability poses a risk to compliance by potentially allowing unauthorized data access and modification.

Useful 0 Not Useful 0