Improper Access Control in snipe/snipe-it
Valid
Reported on
Dec 9th 2021
Description
Regular users with DENY set to all models permissions can still view model information via the /models/{id}/clone endpoint due to no authorize('view') permission being set.
Proof of Concept
1: Create regular user and set DENY to all permissions in asset models.
2: Login as the user
3: Access asset model ID 1 via http://[SNIPE-URL]/models/1/clone
Impact
This vulnerability is capable of users without view asset model permissions can still view asset models via clone endpoint
Occurrences
We are processing your report and will contact the
snipe/snipe-it
team within 24 hours.
a year ago
Fix: https://github.com/Haxatron/snipe-it/commit/918e7c8dae4d41935f534901a582ea8488bbf603
haxatron modified the report
a year ago
On 2nd thought, I think it would be better to use authorize('create') rather than authorize('view')
Improved fix here: https://github.com/Haxatron/snipe-it/commit/1699c09758e56f740437674a8d6ba36443399f24
Thanks for this - can you create a PR against master or dev? I’ll happily take it.
AssetModelsController.php#L270L285
has been validated
to join this conversation