Multiple Idor in sissbruecker/linkding

Valid

Reported on

Mar 19th 2022

Description

There are multiple idors i found. In bookmarks/<int:bookmark_id>/edit, bookmarks/<int:bookmark_id>/remove, bookmarks/<int:bookmark_id>/archive, bookmarks/<int:bookmark_id>/unarchive. It gets the object provided in the bookmark_id without checking if the owner of the object is the current user.

Proof of Concept

1. Go to https://demo.linkding.link/bookmarks/5/remove
2. The bookmark id 5 will be removed even if you dont own the bookmark.

Impact

Idor

Occurrences

bookmarks.py L111

bookmarks.py L140

bookmarks.py L149

bookmarks.py L158

We are processing your report and will contact the sissbruecker/linkding team within 24 hours. a year ago

A sissbruecker/linkding maintainer has acknowledged this report a year ago

Sascha Ißbrücker Sascha

commented a year ago

Maintainer

Thanks for reporting this @noobexploiterhuntrdev, this is kind of bad. But should be easy to fix. I'll try to get it done this week.

We have contacted a member of the sissbruecker/linkding team and are waiting to hear back a year ago

Sascha Ißbrücker validated this vulnerability a year ago

noobexploiterhuntrdev has been awarded the disclosure bounty

The fix bounty is now up for grabs

Sascha Ißbrücker marked this as fixed in 1.8.6 with commit 1ffc3e a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

bookmarks.py#L111 has been validated

bookmarks.py#L149 has been validated

bookmarks.py#L140 has been validated

bookmarks.py#L158 has been validated

to join this conversation