Slah CMS Sensitive Data Exposure Vulnerability

A vulnerability allowing sensitive data exposure has been identified in Slah CMS versions through 1.5.0. This issue arises from incorrect access control in the config.php component, where active session credentials are logged in plaintext to a publicly accessible JavaScript file. As a result, unauthenticated attackers can retrieve sensitive information, including session keys, usernames, and passwords, potentially leading to unauthorized account access.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, particularly administrative ones, by harvesting and using exposed session credentials. This could disrupt public sector administrative operations, given Slah CMS's widespread use in Brazilian governmental web management.

Reproduction

The vulnerability can be reproduced by accessing the 'public/assets/js/logged.js' file on a server running Slah CMS through version 1.5.0. This file is served as a static asset without any authentication checks, allowing anyone to download it and view the logged session data. The 'session()' function in 'config.php' appends session information directly into this JavaScript file, including sensitive details like email addresses and passwords, which can be exploited to bypass authentication and gain access to the administrative dashboard.

Remediation

Users are advised to update Slah CMS to the latest patched version. Additionally, the insecure logging mechanism in 'config.php' should be removed, as session credentials must not be written to publicly accessible files.