Improper Authorization in collectiveaccess/pawtucket2
Valid
Reported on
Oct 11th 2021
Description
Users without any read_access to a lightbox can still view its contents via incrementing the id
Proof of Concept
...
http://10.0.2.15/pawtucket/index.php/Lightbox/Present/set_id/1
http://10.0.2.15/pawtucket/index.php/Lightbox/Present/set_id/2
http://10.0.2.15/pawtucket/index.php/Lightbox/Present/set_id/3
...
and
...
http://10.0.2.15/pawtucket/index.php/Lightbox/setDetail/set_id/1
http://10.0.2.15/pawtucket/index.php/Lightbox/setDetail/set_id/2
http://10.0.2.15/pawtucket/index.php/Lightbox/setDetail/set_id/3
...
Impact
This vulnerability is capable of viewing other lightboxes without read_access
Recommended Fix
Recommended fix would be to check user access before allowing read_access
We have contacted a member of the
collectiveaccess/pawtucket2
team and are waiting to hear back
2 years ago
Access is actually being checked.
Two things that can may be causing confusion:
- if you're testing with an admin user you'll be able to access all set by design
- sets that are marked public access (which includes any set made in Pawtucket, but not Providence) are readable by any user. This was intentional... at the time this was all first built light boxes were intended to be online exhibition builders with limited privacy. However, I don't think anyone these days realizes this is the case, and the wording of options in the current UI (which has changed a lot over the years) implies, to me at least, that the opposite is true.
So I'm going to accept this as a legitimate hole, even if the hole is intentional. It should be changed.
Thanks again for taking the time to look through the application. It's really helpful.
LightboxController.php#L159L407
has been validated
LightboxController.php#L1313L1329
has been validated
to join this conversation