You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal.
The vulnerable features are Duplicate to project and Move to project, which both utilize the checkDestinationProjectValues() function to check his values.
Details
The vulnerability lays in the function checkDestinationProjectValues in the /app/Model/TaskDuplicationModel.php file, line 88 :
publicfunctioncheckDestinationProjectValues(array &$values)
{
// Check if the assigned user is allowed for the destination projectif ($values['owner_id'] > 0 && ! $this->projectPermissionModel->isUserAllowed($values['project_id'], $values['owner_id'])) {
$values['owner_id'] = 0;
}
// Check if the category exists for the destination projectif ($values['category_id'] > 0) {
$values['category_id'] = $this->categoryModel->getIdByName(
$values['project_id'],
$this->categoryModel->getNameById($values['category_id'])
);
}
// Check if the swimlane exists for the destination project$values['swimlane_id'] = $this->swimlaneModel->getIdByName(
$values['project_id'],
$this->swimlaneModel->getNameById($values['swimlane_id'])
);
if ($values['swimlane_id'] == 0) {
$values['swimlane_id'] = $this->swimlaneModel->getFirstActiveSwimlaneId($values['project_id']);
}
// Check if the column exists for the destination projectif ($values['column_id'] > 0) {
$values['column_id'] = $this->columnModel->getColumnIdByTitle(
$values['project_id'],
$this->columnModel->getColumnTitleById($values['column_id'])
);
$values['column_id'] = $values['column_id'] ?: $this->columnModel->getFirstColumnId($values['project_id']);
}
// Check if priority exists for destination project$values['priority'] = $this->projectTaskPriorityModel->getPriorityForProject(
$values['project_id'],
empty($values['priority']) ? 0 : $values['priority']
);
return$values;
}
As we can see, there's a check in this part of the code to check if the User is allowed to move to the project declared :
However, only assigning 0 to the owner_id variable is not enough because it doesn't prevent the code from keeping running.
This means that unauthorized users can still add tasks to other projects.
Note: It is also necessary to check the owner_id value and make sure it cannot be modified by the users as someone can equal to the owner id of the project that users is trying to exploit and that way bypass the isUserAllowed() function
PoC
Go to any task you wish to move and click on Move to Project
Select a random project you have, click Save, and intercept the request.
Change the value project_id to any project ID you want.
After that, the task gets added to the Project you've chosen ( even tho it's not yours )
Note: The admin project showed in the video it's a personal project.
2023-05-28.19-38-16.mp4
Impact
This allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal.
Summary
A missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal.
The vulnerable features are Duplicate to project and Move to project, which both utilize the
checkDestinationProjectValues()
function to check his values.Details
The vulnerability lays in the function checkDestinationProjectValues in the /app/Model/TaskDuplicationModel.php file, line 88 :
As we can see, there's a check in this part of the code to check if the User is allowed to move to the project declared :
However, only assigning 0 to the owner_id variable is not enough because it doesn't prevent the code from keeping running.
This means that unauthorized users can still add tasks to other projects.
Note: It is also necessary to check the owner_id value and make sure it cannot be modified by the users as someone can equal to the owner id of the project that users is trying to exploit and that way bypass the
isUserAllowed()
functionPoC
Note: The admin project showed in the video it's a personal project.
2023-05-28.19-38-16.mp4
Impact
This allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal.