Improper Privilege Management in opensource-socialnetwork/opensource-socialnetwork


Reported on

Jul 22nd 2021

ūüí• BUG

unprivileged user can comment to private album .


user who does not have permiison in private album still can comment in that album.


There is two user called user-A and user-B.
1. First goto user-A account and create a private album .
Lets album url is http://localhost/opensource-socialnetwork/album/view/10 and only friends can see this album .

2. Now user-A sent friend-request to user-b and user-B accepted friend-request .

3. Now goto user-B account and visit above album url and here he can see all uploaded images .
Lets assume user-B open one of the image of above album using url like http://localhost/opensource-socialnetwork/photos/view/56 .(keep this tap open).

4. Now goto user-A account and unfriend user-B , so user-B should not see above album .
Now user-B gotoa bove opened tab and here he still can comment .
Bellow request is vulnerable to make comment

await fetch("http://localhost/opensource-socialnetwork/action/post/entity/comment", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
"referrer": "http://localhost/opensource-socialnetwork/photos/view/56",
"body": "ossn_ts=1626891487&ossn_token=1621bc0dbc2b6deaca5953fb7b090441d4d2eb2295ced160c9471214a09f2112&entity=56&comment-attachment=&comment=ff&comment=khhkhk&comment=kjhkhhjkjhhk&comment=jjj",
"method": "POST",
"mode": "cors"
We have contacted a member of the opensource-socialnetwork team and are waiting to hear back 2 years ago
A opensource-socialnetwork/opensource-socialnetwork maintainer validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
A opensource-socialnetwork/opensource-socialnetwork maintainer marked this as fixed with commit 975f38 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
2 years ago

Issue fixed

ranjit-git modified the report
2 years ago
to join this conversation