StudioCMS S3 Storage Manager Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in StudioCMS versions prior to 0.3.1. The issue arises in the S3 storage manager's isAuthorized() function, which is declared as asynchronous but is called without await in the POST and PUT handlers. This oversight allows any authenticated user with the lowest visitor role to bypass authorization checks and gain unrestricted access to upload, delete, rename, and list all files in the S3 bucket.

Impact

Exploiting this vulnerability allows authenticated users with the visitor role to fully manage S3 storage, including uploading, deleting, renaming, and listing files. This access is normally restricted to users with editor roles or higher. As a result, an attacker could delete important files, causing data loss, or upload malicious content that replaces legitimate files.

Reproduction

To reproduce this vulnerability, log in as a user with the visitor role and obtain a session cookie. Then, send a POST request to the '/studiocms_api/integrations/storage/manager' endpoint to list files in the S3 bucket. The response should be 401 Unauthorized, but due to the vulnerability, it will be 200 with a full bucket listing. Similarly, uploading or deleting files through the same endpoint will also succeed, bypassing the authorization checks that should be in place.

Remediation

Users are advised to update to StudioCMS version 0.3.1, where this vulnerability has been fixed.