Race Conditional exists in the collection in answerdev/answer

Valid

Reported on

Jan 12th 2023

Description

Ordinary users can use this vulnerability to attack other users' question collection, which can break through a single user's operation of only collecting or canceling the collection, resulting in too many or negative collections

Proof of Concept

step1 . Open burp, click collection, and block the request package image-20230112232340532 image-20230112232411732

step2 .Right click to send the request package to Turbo Intruder image-20230112232609764 Add a request header x-req: %s , then last code user select examples/race.py and click attack image-20230112233041258 image-20230112233105438

setp3. Turn off burp interception, refresh your question, and you can see that the limit has been broken image-20230112233211607

Impact

It can break the limit of user's single collection or cancellation of collection, and attackers can maliciously attack the number of other users' question collections, such as adding/reducing a large number of collections

Occurrences

Add transaction to collection operation or add lock

We are processing your report and will contact the answerdev/answer team within 24 hours. 2 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 2 months ago
We have sent a follow up to the answerdev/answer team. We will try again in 7 days. 2 months ago
answerdev/answer maintainer validated this vulnerability 2 months ago
1derian has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
answerdev/answer maintainer marked this as fixed in 1.0.4 with commit 1ee34b a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
answerdev/answer maintainer published this vulnerability a month ago
to join this conversation