Cfx.re FXServer Incorrect Access Control Vulnerability Allowing Unauthenticated User Data Modification and Access

A vulnerability exists in Cfx.re FXServer versions through 9601, allowing unauthenticated users to read and modify arbitrary user data via an exposed API endpoint. This issue arises from incorrect access control, enabling unauthorized data manipulation and retrieval.

Impact

Exploitation of this vulnerability allows for unauthorized access to and modification of user data, including sensitive identifiers such as Steam IDs, FiveM license keys, Xbox Live IDs, Discord User IDs, and in-game session IDs.

Reproduction

To reproduce this vulnerability, join a server running FXServer version 9601 or earlier. Once connected, access the exposed API endpoint that serves player data. This endpoint can be queried to retrieve information such as the server's IP address, player identifiers, FiveM usernames, and current ping. Even if the API endpoint is closed, the vulnerability persists because all servers on FXServer versions through 9601 have an exposed 'players.json' file that unauthenticated users can view and modify.

Remediation

Server owners can disable the exposed player identifiers in the 'players.json' file by using the 'sv_exposePlayerIdentifiersInHttpEndpoint' ConVar. However, this vulnerability highlights a broader issue with access control that needs to be addressed.