Improper Access Control in collectiveaccess/pawtucket2

Valid

Reported on

Sep 30th 2021


Description

An attacker can join any user group in the Pawtucket2 interface as the URLs are not being randomised

Proof of Concept

Any attacker can join the Administrator group using: http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/2

An attacker can join any group by incrementing the number by 1:

http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/1
http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/3
http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/4

Impact

This vulnerability is capable of allowing attackers to join Administrator group and other groups without being invited, bypassing access controls.

Recommended Fix

Use randomized ids in user group creation and access

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
CollectiveAccess validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess
a year ago

Maintainer


This one is less useful than one might expect, but it should not be like this. Will patch shortly.

CollectiveAccess
a year ago

Maintainer


Thank you for pointing it out.

CollectiveAccess confirmed that a fix has been merged on 6c0e8a a year ago
CollectiveAccess has been awarded the fix bounty
to join this conversation