Improper Access Control in alanaktion/phproject
Valid
Reported on
Feb 14th 2022
Description
The application has a vulnerability that allows anonymous users to download files on the server. In addition, when authenticated user deletes a file in an issue, the file is only unlinked, not completely deleted on the server. That results in anonymous users being able to download the entire file that has been attached to the issue, even if the file has been deleted.
Proof of Concept
- Step 1: Create issue in https://demo.phproject.org/issues/new with demo account.
- Step 2: In issue 13 (https://demo.phproject.org/issues/13), upload png file (id 22) and html file (id 23). Then delete the html file.
- Step 3: Call request to https://demo.phproject.org/files/preview/22 with cookie header is none. You can see the content of png file.
- Step 4: Call request to https://demo.phproject.org/files/preview/23 with cookie header is none, you will be redirect to https://demo.phproject.org/files/23/tmp_html.html. You can see the content of html file.
- PoC:
id 22: https://drive.google.com/file/d/11fmWcHLDKxawnb8r--C47XMN-vJSFxJM/view?usp=sharing
id 23: https://drive.google.com/file/d/1t1UqwHJvfrQs6qjE1Qb6xoq6KqKGjExe/view?usp=sharing
Impact
Unauthenticated users can get all attachments file in issues
We are processing your report and will contact the
alanaktion/phproject
team within 24 hours.
a year ago
We have contacted a member of the
alanaktion/phproject
team and are waiting to hear back
a year ago
We have sent a
follow up to the
alanaktion/phproject
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
alanaktion/phproject
team.
We will try again in 10 days.
a year ago
We have sent a
third and final
follow up to the
alanaktion/phproject
team.
This report is now considered stale.
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation