Improper Access Control in kevinpapst/kimai2
Reported on
Nov 20th 2021
Description
Authenticated users can preview invoices which they do not have read access to
Proof of Concept
To demonstrate this vulnerability, we will use tony_teamlead on the demo site.
1: Login as tony_teamlead.
2: Go to Invoices page, see that there is no Haley-Jaskolski invoice document present on the UI.
3: But if tony_teamlead visits https://demo.kimai.org/en/invoice/preview/4/4, they will be able to see Haley-Jaskolski's invoice document. On the demo-stable website if tony_teamlead visits https://demo-stable.kimai.org/en/invoice/preview/1/4, they will see Crooks Group's document even though they do not have access to it.
4: Attackers can increment the invoice_id up and down - https://demo.kimai.org/en/invoice/preview/{invoice_id}/{file_export_format}, to retrieve invoice documents they do not have access to.
Impact
Authenticated users can access potentially sensitive financial information they do not have access to
Occurrences
I don't yet understand that report. The route you are talking about creates a preview invoice, it's definition is called: /preview/{customer}/{template} Every user who owns the view_invoice permission is allowed to do that and Teamleads have that permission.
If you look at the invoice previews as susan_super, the super admin, you actually see all the invoices stored on the server, including Haley_Jakolski's
Thus, I presumed that tony_teamlead does not have access to the Haley_Jakolski's invoice documents because it does not show up in the U UI in the demo development server.
But yet if you go to https://demo.kimai.org/en/invoice/preview/4/4, youll be able to view the documents.
1: As susan_super, I can see all invoice documents - Link 1
2: As tony_teamlead, I can only see some of the documents, presumably because I do not have read access to documents I cannot see - Link 2
3: As tony_teamlead, I can still access the documents which I do not have read access to, via previews, for instance Gorzanic Brandike: Link 3
Thus the issue above is that users without access to reading someone's invoice documents, can still access them by previews.
Just to clarify: the preview route does not download existing invoice documents, but creates a preview for time-records not yet billed to customers. So for "possible future invoices". But give me some time to investigate now, I'll let you know :)