Improper Privilege Management in gskinner/regexr

Valid

Reported on

Jun 15th 2021

✍️ Description

I managed to find a Critical IDOR in the https://github.com/gskinner/regexr/ . Any user is able to change the Visibility Status of any pattern set

📚 Proof of Concept

1: Go to https://regexr.com/
2: Click on "New" in the Top Left Corner
3: Select Pattern Settings and Fill out "pattern Name ", "Author Name" , "Description"
4: Now click save button
5: Now User will be able to change the pattern Visibility to Private or Public
6:Click on the Private button and Intercept the Request
7: Replace the patternId= with some other ID (usually these ID can be obtained once a user shares his Pattern)
8:The pattern with Replaced Id gets Changed

The API endpoint is vulnerable (api.php)

Video POC : GoogleDrive-Link

⚙️ Impact

This Vulnerability is capable of change other users visibility privilage

Occurrences

api.php L28

A gskinner/regexr maintainer validated this vulnerability 2 years ago

Tibin Sunny has been awarded the disclosure bounty

The fix bounty is now up for grabs

A gskinner/regexr maintainer marked this as fixed with commit 3b50b0 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE