Improper Authorization in collectiveaccess/pawtucket2

Valid

Reported on

Oct 11th 2021


Description

Users without any read_access to a lightbox can still view its contents via incrementing the id

Proof of Concept

...
http://10.0.2.15/pawtucket/index.php/Lightbox/Present/set_id/1
http://10.0.2.15/pawtucket/index.php/Lightbox/Present/set_id/2
http://10.0.2.15/pawtucket/index.php/Lightbox/Present/set_id/3
...

and

...
http://10.0.2.15/pawtucket/index.php/Lightbox/setDetail/set_id/1
http://10.0.2.15/pawtucket/index.php/Lightbox/setDetail/set_id/2
http://10.0.2.15/pawtucket/index.php/Lightbox/setDetail/set_id/3
...

Impact

This vulnerability is capable of viewing other lightboxes without read_access

Recommended Fix

Recommended fix would be to check user access before allowing read_access

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 months ago
CollectiveAccess
a month ago

Maintainer


Access is actually being checked.

Two things that can may be causing confusion:

  1. if you're testing with an admin user you'll be able to access all set by design
  2. sets that are marked public access (which includes any set made in Pawtucket, but not Providence) are readable by any user. This was intentional... at the time this was all first built light boxes were intended to be online exhibition builders with limited privacy. However, I don't think anyone these days realizes this is the case, and the wording of options in the current UI (which has changed a lot over the years) implies, to me at least, that the opposite is true.

So I'm going to accept this as a legitimate hole, even if the hole is intentional. It should be changed.

Thanks again for taking the time to look through the application. It's really helpful.

CollectiveAccess validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on 2c2e93 a month ago
CollectiveAccess has been awarded the fix bounty