Improper Privilege Management in patrowl/patrowlmanager

Valid

Reported on

Dec 11th 2021

Description

Hi there, I would like to report an improper privilege management in PatrowlManager - it's an IDOR. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files

Proof of Concept

Install PatrowlManager on local.
Go to Finding -> Manual Import, choose a file and import finding.
See that a new file with format import_<ownder_id>_<time_created> is created under folder media/imports/<owner_id>.
Now open an anonymous browser tab and access the link http://localhost:8083/media/imports/<owner_id>/<tmp_file>.
See that you can download the file without logging in

Impact

This vulnerability is capable of allowing unlogged in users to download all finding imports file

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 2 years ago

A patrowl/patrowlmanager maintainer validated this vulnerability 2 years ago

ComradeKtg has been awarded the disclosure bounty

The fix bounty is now up for grabs

A patrowl/patrowlmanager maintainer

commented 2 years ago

Maintainer

Hi again ! Will fix ASAP in v1.7.7. Stay tuned ;)

A patrowl/patrowlmanager maintainer marked this as fixed in 1.7.7 with commit ba276f 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation