ProjectID is disclosed and can be used for IDOR attack in metersphere/metersphere

Valid

Reported on

Mar 23rd 2023

I find that we click "Settings" button, we can see all the project, even the login user does not belong to the project. Using burpsuit to hijack the reqeust, we can obtain project ids. We can use projectid to perform IDOR attack.

1 create two projects: project1 and project2, and their admin is admin1 and admin2

2 login as admin2 and click "Setting", use burpsuit hijack the request and we can obtain the projectid of project1 and project2.

3 go to "proejct settings" and click member, and add a member.

4 Using burpsuit to hijack the reqeust, repalce project2's projectid as project1's projectid

5 we can find that project1 has a new member, even admin2 is not the admin of project1.

UUID format of proejctid can precent IDOR effectively. But we disclose it to end users !

Impact

we only use " add member" for example. You can do anything you want with other projects.

We are processing your report and will contact the metersphere team within 24 hours. 2 months ago
lujiefsi modified the report
2 months ago
lujiefsi
2 months ago

Researcher

POC can be found here https://1drv.ms/v/s!AksJ421iyCG-mTTGkgkxESpP-QrQ?e=S08Hzj

We have contacted a member of the metersphere team and are waiting to hear back 2 months ago
lujiefsi
2 months ago

Researcher

is there any update for this issuse?

lujiefsi
2 months ago

Researcher

@ maintainer

could please acknowledg this report if you have receive this report!

Thanks!

fit2-zhao has marked this vulnerability as not applicable 2 months ago

Thanks for the security advice on our product, it has been confirmed that this issue has been fixed in both the v1 (v1.20.21-lts) and v2 (v2.8.1) versions we are maintaining.

The disclosure bounty has been dropped
The fix bounty has been dropped
lujiefsi
2 months ago

Researcher

Thanks for your feed back!

lujiefsi
a month ago

Researcher

hi, can we change the status as vaild without puslishing ? Thanks!

lujiefsi
a month ago

Researcher

@admin

big issuse. This issuse was comfirmed later and was assigned CVE-2023-30550. metersphere has not publish this CVE and can mark this issue as private again.

lujiefsi
a month ago

Researcher

@admin

if possiable, can we mark it valild?

Ben Harvie
a month ago

Admin

Hi lujiefsi, the maintainer seems to have made a mistake on validation. I will reset the report to a pending state and we will need the maintainer to re-validate and provide fix information to proceed.

fit2-zhao, please re-validate this report appropriately.

Thanks!

lujiefsi
20 days ago

Researcher

@admin @fit2-zhao

it seems that we have release the CVE, can be mark it as vaild and assign CVE-2023-30550 on it? see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30550

Ben Harvie
11 days ago

Admin

Hi lujiefsie, if you could help me with the commit hash where this vulnerability fixed, I can mark it as valid and fixed for you:)

lujiefsi
11 days ago

Researcher

Hi @admin commit is https://github.com/metersphere/metersphere/commit/a7b0ca8192b018c90140f8b325509442f4e3e7a0

lujiefsi modified the report
11 days ago
Ben Harvie validated this vulnerability 3 days ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie marked this as fixed in 2.10 with commit a7b0ca 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 3 days ago
to join this conversation