Security Disclosure: Low-impact, low-severity - Information leakage in AMP 2.4.6.x

This issue has been fixed in the AMP 2.4.7 update. CVE number is CVE-2024-22090

In AMP 2.4.6.x, there was a session handling bug that meant that if an API call used lazy evaluation, was invoked asynchronously and referenced the current session as part of that lazy query, it would end up with the reference to another random session. The same bug also affected ‘anonymous’ methods that could be invoked without a session.

This affected the GetModuleInfo and GetActiveAMPSessions API calls. The former would result in the disclosure of the current instance name, even though that is not normally accessible except to authenticated users. The latter would cause AMP to reveal the usernames and IP addresses of logged in users even if the current user was only supposed to have permission to view their own sessions.

This has been addressed by making sure that the session reference is correctly preserved for API calls that are either anonymous or use async lazy evaluation.

For most AMP users, the impact of this is negligible and wouldn’t reveal anything - and the information disclosure was only to authenticated users (who would generally be trusted). For Enterprise users who use the WHMCS module however this could result in potentially personally identifiable information being disclosed as the instance names contain the users real-life first initial and surname, which pair with an IP address makes it identifiable. Doing this would have to be highly targeted however as it would have to be an instance to which you already had access (and thus knew its instance ID GUID already), and had permission to view the session list at all.

Thank you to Zac from Southnode for bringing this to our attention.