Authorization Bypass Through User-Controlled Key in weseek/growi
Reported on
Sep 8th 2021
✍️ Description
In following endpoint don't check the authorization of users and any user can delete other users comments /_api/comments.remove
the body of request is like this :
{
"comment_id" : "61393bb36970d0000c62b3cf"
,
"_csrf" : <a_new_one>
}
any user receive all comment_id
and can easily replace other users comment_id
with own comment_id
and delete other user's comments.
💥 Impact
This vulnerability is capable of make high impact on integrity of system.
We will fix it. Please wait the next release.
Thanks for reporting the vulnerability. It has already been fixed and released on v4.8.8. Thank you.
At the request of Kaori Tokashiki, we have gone ahead and assigned and published CVE-2021-3852.
If you have any further questions don't hesitate to get in touch.
@admin Hi, thanks for publishing the CVE.
By the way, e-mail automatic delivery system seems to be set to “vuls@jpcert.or.jp” which is different organization from GROWI project. Could you replace it to “ml-jvn-growi@weseek.co.jp”?
Sorry, I made a mistake on the comment 3 before. The released version is v4.4.8 not v4.8.8.
@maintainer - you are welcome!
We can replace it, however, I attempted sending an e-mail to this new address yesterday, and it failed to deliver?
I will try another test e-mail now if that is okay.
Just tried and I receive this error from our e-mail provider:
550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces.
@admin Could you try it again with "ml-jvn-growi@weseek.co.jp"?
↑please ignore the comment. @admin Could you try it again with "ml-jvm-growi@weseek.co.jp"?
It looks like that one was sent, can you confirm that you received this e-mail? After, we can go ahead and update the contact details for future notifications and reports.
I replied to your email just now. Please check.
I received it - shall I go ahead and update your contact address to this new e-mail?