Improper Privilege Management in patrowl/patrowlmanager

Valid

Reported on

Dec 11th 2021


Description

Hi there, I would like to report an improper privilege management in PatrowlManager - it's an IDOR. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files

Proof of Concept

  1. Install PatrowlManager on local.
  2. Go to Finding -> Manual Import, choose a file and import finding.
  3. See that a new file with format import_<ownder_id>_<time_created> is created under folder media/imports/<owner_id>.
  4. Now open an anonymous browser tab and access the link http://localhost:8083/media/imports/<owner_id>/<tmp_file>.
  5. See that you can download the file without logging in

Impact

This vulnerability is capable of allowing unlogged in users to download all finding imports file

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 2 months ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 2 months ago
patrowl/patrowlmanager maintainer validated this vulnerability a month ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer
a month ago

Maintainer


Hi again ! Will fix ASAP in v1.7.7. Stay tuned ;)

patrowl/patrowlmanager maintainer confirmed that a fix has been merged on ba276f a month ago
The fix bounty has been dropped