Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Able to view all PM's even when not authenticated #6

Closed
Wild1145 opened this issue Dec 7, 2021 · 1 comment
Closed

Able to view all PM's even when not authenticated #6

Wild1145 opened this issue Dec 7, 2021 · 1 comment

Comments

@Wild1145
Copy link

Wild1145 commented Dec 7, 2021

If User A starts a conversation with User B (Conversation ID 1 in this case) any other user or unauthenticated user can access the full conversation history via the API, along with sensitive information that would usually only be accessible to admins.

This is achieved through the API for example https://mydomain.com/api/whisper/messages/1

@clarkwinkelmann
Copy link

I can confirm the issue. Guests can read all messages through the REST API.

The problem is on line 40 of ListMessagesController. ->get() will return a Collection instance, which will always evaluate as true. it can be replaced by many options, best is probably ->exists() but could also be ->count() or ->first().

if (!$conversation->recipients()->where('user_id', $actor->id)->get()) {


@KyrneDev while you take a look at access control, I see in https://github.com/KyrneDev/whisper/blob/master/src/Commands/ReadMessageHandler.php you never validate if messageId actually belongs to conversationId, so it seems like you could pass a message ID from a different conversation and set a read number higher than supposed. There doesn't seem to be any serious security issue though because nothing about messageId is returned to the client (except for the ID existence), and no attributes are updated on the message either. It seems to just be used to retrieve the number. Potentially by reading the websocket and sending REST API requests for every possible post ID, you might be able to guess how many different discussions are happening on the forum at any given time.

@KyrneDev KyrneDev closed this as completed Dec 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants