ProjectID is disclosed and can be used for IDOR attack in metersphere/metersphere
Mar 23rd 2023
I find that we click "Settings" button, we can see all the project, even the login user does not belong to the project. Using burpsuit to hijack the reqeust, we can obtain project ids. We can use projectid to perform IDOR attack.
1 create two projects: project1 and project2, and their admin is admin1 and admin2
2 login as admin2 and click "Setting", use burpsuit hijack the request and we can obtain the projectid of project1 and project2.
3 go to "proejct settings" and click member, and add a member.
4 Using burpsuit to hijack the reqeust, repalce project2's projectid as project1's projectid
5 we can find that project1 has a new member, even admin2 is not the admin of project1.
UUID format of proejctid can precent IDOR effectively. But we disclose it to end users !
we only use " add member" for example. You can do anything you want with other projects.
POC can be found here https://1drv.ms/v/s!AksJ421iyCG-mTTGkgkxESpP-QrQ?e=S08Hzj
is there any update for this issuse?
could please acknowledg this report if you have receive this report!
Thanks for the security advice on our product, it has been confirmed that this issue has been fixed in both the v1 (v1.20.21-lts) and v2 (v2.8.1) versions we are maintaining.
Thanks for your feed back!
hi, can we change the status as vaild without puslishing ? Thanks!
big issuse. This issuse was comfirmed later and was assigned CVE-2023-30550. metersphere has not publish this CVE and can mark this issue as private again.
if possiable, can we mark it valild?
Hi lujiefsi, the maintainer seems to have made a mistake on validation. I will reset the report to a pending state and we will need the maintainer to re-validate and provide fix information to proceed.
fit2-zhao, please re-validate this report appropriately.
it seems that we have release the CVE, can be mark it as vaild and assign CVE-2023-30550 on it? see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30550
Hi lujiefsie, if you could help me with the commit hash where this vulnerability fixed, I can mark it as valid and fixed for you:)
Hi @admin commit is https://github.com/metersphere/metersphere/commit/a7b0ca8192b018c90140f8b325509442f4e3e7a0