Improper Privilege Management in patrowl/patrowlmanager
Dec 11th 2021
Hi there, I would like to report an improper privilege management in PatrowlManager - it's an IDOR. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files
Proof of Concept
- Install PatrowlManager on local.
- Go to Finding -> Manual Import, choose a file and import finding.
- See that a new file with format import_<ownder_id>_<time_created> is created under folder media/imports/<owner_id>.
- Now open an anonymous browser tab and access the link http://localhost:8083/media/imports/<owner_id>/<tmp_file>.
- See that you can download the file without logging in
This vulnerability is capable of allowing unlogged in users to download all finding imports file