UniTime Exports Vulnerability

[Tomáš Müller]

Hello,

A potential vulnerability in the exports was recently discovered: when an encrypted URL is used (/export?q=... or /export?x=...), an attacker may forge an encrypted URL as if it were generated for someone else. The encrypted URLs allow for elevating the request's permissions as if it were made by the user for whom the encrypted/hashed export URL was provided. This is primarily used to generate an iCalendar URL that can be used in a Calendar application (such as Outlook or Google Calendar) to subscribe to a personal schedule, but due to the aspect-oriented design of the exports, it can also be used for other exports.

The vulnerability has been fixed in the most recent versions of UniTime 4.7 (build 121 or later), UniTime 4.8 (build 224 or later), or UniTime 4.9 (build 135 or later). Additionally, a configuration has been added to further restrict which exports support encrypted query authorizations (with the new default only allowing the iCalendar exports to do so).

To further secure the URL encryption, please make sure that the unitime.encode.secret application property is set to a non-default value. This is to prevent an attacker from decrypting an encrypted URL using the UniTime defaults. It is essentially a password, and there are no limitations on the characters used or length. The setting can be changed on the Administration > Defaults > Configuration page, or in the custom properties.

Best regards,

Tomas Muller

UniTime PMC Chair