CRMEB Improper Authentication Vulnerability in JSON Token Handling

A vulnerability allowing improper authentication has been identified in CRMEB versions through 5.6.3. The issue arises in the remoteRegister function within the LoginServices.php file, part of the JSON Token Handler component. The vulnerability allows attackers to manipulate the uid argument in base64-encoded JSON tokens, bypassing authentication checks. This flaw can be exploited remotely and has been publicly disclosed, with an available exploit.

Impact

Exploitation of this vulnerability allows for unrestricted account creation or account takeover by logging in as any existing user, provided their uid is known. It also enables unauthorized access to user privileges, including the ability to manipulate personal data, such as updating account balances and points. Additionally, this vulnerability bypasses JWT signature verification, a critical authentication safeguard.

Reproduction

To exploit this vulnerability, a forged JSON token can be created by encoding a payload that includes arbitrary user information, such as uid, phone number, nickname, avatar, and other fields. This token is then base64-encoded and sent to the remote_register endpoint. The absence of signature verification allows the manipulation of user data and authentication processes.

Remediation

Users are advised to disable the remote_register feature and implement proper JWT verification by decoding tokens with signature validation, using the application's secret key.