Improper Access Control in alanaktion/phproject

Valid

Reported on

Feb 14th 2022


Description

The application has a vulnerability that allows anonymous users to download files on the server. In addition, when authenticated user deletes a file in an issue, the file is only unlinked, not completely deleted on the server. That results in anonymous users being able to download the entire file that has been attached to the issue, even if the file has been deleted.

Proof of Concept

  • Step 1: Create issue in https://demo.phproject.org/issues/new with demo account.
  • Step 2: In issue 13 (https://demo.phproject.org/issues/13), upload png file (id 22) and html file (id 23). Then delete the html file.
  • Step 3: Call request to https://demo.phproject.org/files/preview/22 with cookie header is none. You can see the content of png file.
  • Step 4: Call request to https://demo.phproject.org/files/preview/23 with cookie header is none, you will be redirect to https://demo.phproject.org/files/23/tmp_html.html. You can see the content of html file.
  • PoC:

id 22: https://drive.google.com/file/d/11fmWcHLDKxawnb8r--C47XMN-vJSFxJM/view?usp=sharing

id 23: https://drive.google.com/file/d/1t1UqwHJvfrQs6qjE1Qb6xoq6KqKGjExe/view?usp=sharing

Impact

Unauthenticated users can get all attachments file in issues

We are processing your report and will contact the alanaktion/phproject team within 24 hours. 3 months ago
We have contacted a member of the alanaktion/phproject team and are waiting to hear back 3 months ago
We have sent a follow up to the alanaktion/phproject team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the alanaktion/phproject team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the alanaktion/phproject team. This report is now considered stale. 3 months ago
Alan Hardman validated this vulnerability 2 months ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman confirmed that a fix has been merged on 3cdfb4 2 months ago
The fix bounty has been dropped
to join this conversation