Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

broken access control #749

Closed
VikramRajVashisth opened this issue Mar 27, 2019 · 2 comments
Closed

broken access control #749

VikramRajVashisth opened this issue Mar 27, 2019 · 2 comments

Comments

@VikramRajVashisth
Copy link

@VikramRajVashisth VikramRajVashisth commented Mar 27, 2019

Threat: sensitive data disclosure
Risk level: HIGH
Complexity: medium
Vulnerable functions: Bagisto front end
The list of functionality mentioned below are designed for customers to change their own values such as address, review etc can also be manipulated by other customers.
1) Address field: /bagisto-103-206-131-18/customer/account/addresses/edit/[ item_value ]
2) Review: /bagisto-common/customer/account/reviews/delete/[ item_value ]
3) Orders: /bagisto-common/customer/account/orders/view/[ item_value ]

Tool Used: Burp proxy (to manipulate requests)
Steps to reproduce the attack:
1.1) Address field:
step:1 create two users
user 1 : demo01@webkul.com
user 2 : demo@example.com (default user on demo)
step:2 Add multiple address to both the users and check their id.
step:3 Edit the address using another users address id which will show you the address of that user.

User1 can modify/view/delete address of User2 and vice versa.
Similarly, same technique can be used to exploit other functions.

1.2) Product review:
Review id can be changed to another user's review id to delete review made by another user.
1.3) Orders :
Order id can be changed to view orders made by another user.

Impacts of vulnerability:
Sensitive data disclosure where an user can easily view another user's data.
Reference:
https://www.owasp.org/index.php/Broken_Access_Control
https://www.htbridge.com/blog/OWASP-broken-access-control.html

@prashant-webkul
Copy link
Contributor

@prashant-webkul prashant-webkul commented Mar 27, 2019

@VikramRajVashisth Thanks for finding this one.

prashant-webkul added a commit to prashant-webkul/bagisto that referenced this issue Mar 31, 2019
prashant-webkul added a commit to prashant-webkul/bagisto that referenced this issue Apr 1, 2019
prashant-webkul added a commit to prashant-webkul/bagisto that referenced this issue Apr 1, 2019
@prashant-webkul prashant-webkul moved this from High priority to Fixed but waiting for release in Issues Dashboard Apr 1, 2019
@jyoti-webkul
Copy link
Collaborator

@jyoti-webkul jyoti-webkul commented Apr 2, 2019

Framework Version: 0.1.5
Fixed

Issues Dashboard automation moved this from Fixed but waiting for release to Closed Apr 2, 2019
rahulshukla-webkul added a commit to rahulshukla-webkul/bagisto that referenced this issue Apr 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Issues Dashboard
  
Closed
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants