Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

broken access control #749

Closed
VikramRajVashisth opened this issue Mar 27, 2019 · 2 comments
Closed

broken access control #749

VikramRajVashisth opened this issue Mar 27, 2019 · 2 comments
Assignees
Labels
Bug Fixed When bug issue is fixed. Critical Something critical. Need immediate access. Customer Customer package related issue. Shop Shop package related issues.

Comments

@VikramRajVashisth
Copy link

Threat: sensitive data disclosure
Risk level: HIGH
Complexity: medium
Vulnerable functions: Bagisto front end
The list of functionality mentioned below are designed for customers to change their own values such as address, review etc can also be manipulated by other customers.
1) Address field: /bagisto-103-206-131-18/customer/account/addresses/edit/[ item_value ]
2) Review: /bagisto-common/customer/account/reviews/delete/[ item_value ]
3) Orders: /bagisto-common/customer/account/orders/view/[ item_value ]

Tool Used: Burp proxy (to manipulate requests)
Steps to reproduce the attack:
1.1) Address field:
step:1 create two users
user 1 : demo01@webkul.com
user 2 : demo@example.com (default user on demo)
step:2 Add multiple address to both the users and check their id.
step:3 Edit the address using another users address id which will show you the address of that user.

User1 can modify/view/delete address of User2 and vice versa.
Similarly, same technique can be used to exploit other functions.

1.2) Product review:
Review id can be changed to another user's review id to delete review made by another user.
1.3) Orders :
Order id can be changed to view orders made by another user.

Impacts of vulnerability:
Sensitive data disclosure where an user can easily view another user's data.
Reference:
https://www.owasp.org/index.php/Broken_Access_Control
https://www.htbridge.com/blog/OWASP-broken-access-control.html

@jitendra-webkul jitendra-webkul added the Critical Something critical. Need immediate access. label Mar 27, 2019
@prashant-webkul
Copy link
Contributor

@VikramRajVashisth Thanks for finding this one.

prashant-webkul added a commit to prashant-webkul/bagisto that referenced this issue Mar 31, 2019
prashant-webkul added a commit to prashant-webkul/bagisto that referenced this issue Apr 1, 2019
prashant-webkul added a commit to prashant-webkul/bagisto that referenced this issue Apr 1, 2019
@prashant-webkul prashant-webkul added Bug Fixed When bug issue is fixed. Customer Customer package related issue. Shop Shop package related issues. labels Apr 1, 2019
@jyoti-webkul
Copy link
Contributor

Framework Version: 0.1.5
Fixed

rahulshukla-webkul added a commit to rahulshukla-webkul/bagisto that referenced this issue Apr 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Fixed When bug issue is fixed. Critical Something critical. Need immediate access. Customer Customer package related issue. Shop Shop package related issues.
Projects
None yet
Development

No branches or pull requests

4 participants