Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
POCs/Web/showdoc/IncorrectAccessControl/
POCs/Web/showdoc/IncorrectAccessControl/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

The access control is not configured correctly.User's note can be read by others no matter who.

PoC: ps: all projects are not use password to protect.

0x01 Read

I resisted two users in two browsers separately:kk123 and kk1234.

Then I recorded some thing use kk1234:

As showed in the url, this note was alloced a page_id.

Next, I login as user kk123, change my page_id to 1209048744241494, I'll read kk1234's note

Another page reveals information also.

If I user burp suite, I will see more information such as user's name

0x02 Modify

notefied the owner to fixed it already.

open other's note, click the edit buttom, althrough it pop a window saied "you do not have the permission", but you can edit it.

I add a newline, and save it.

In other user's account, a new line was added