Improper Privilege Management in gskinner/regexr

Valid

Reported on

Jun 15th 2021


✍️ Description

I managed to find a Critical IDOR in the https://github.com/gskinner/regexr/ . Any user is able to change the Visibility Status of any pattern set

📚 Proof of Concept

1: Go to https://regexr.com/
2: Click on "New" in the Top Left Corner
3: Select Pattern Settings and Fill out "pattern Name ", "Author Name" , "Description"
4: Now click save button
5: Now User will be able to change the pattern Visibility to Private or Public
6:Click on the Private button and Intercept the Request
7: Replace the patternId= with some other ID (usually these ID can be obtained once a user shares his Pattern)
8:The pattern with Replaced Id gets Changed

The API endpoint is vulnerable (api.php)

Video POC : GoogleDrive-Link

⚙️ Impact

This Vulnerability is capable of change other users visibility privilage

Occurrences

gskinner/regexr maintainer validated this vulnerability a year ago
Tibin Sunny has been awarded the disclosure bounty
The fix bounty is now up for grabs
gskinner/regexr maintainer confirmed that a fix has been merged on 3b50b0 a year ago
The fix bounty has been dropped
to join this conversation