Improper Privilege Management in patrowl/patrowlmanager
Valid
Reported on
Dec 11th 2021
Description
Hi there, I would like to report an improper privilege management in PatrowlManager - it's an IDOR. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files
Proof of Concept
- Install PatrowlManager on local.
- Go to Finding -> Manual Import, choose a file and import finding.
- See that a new file with format import_<ownder_id>_<time_created> is created under folder media/imports/<owner_id>.
- Now open an anonymous browser tab and access the link http://localhost:8083/media/imports/<owner_id>/<tmp_file>.
- See that you can download the file without logging in
Impact
This vulnerability is capable of allowing unlogged in users to download all finding imports file
We are processing your report and will contact the
patrowl/patrowlmanager
team within 24 hours.
a year ago
We have contacted a member of the
patrowl/patrowlmanager
team and are waiting to hear back
a year ago
Hi again ! Will fix ASAP in v1.7.7. Stay tuned ;)
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation
