Missing Access Control allows User to move and duplicate tasks to any project in the software

Summary

A missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal.

The vulnerable features are Duplicate to project and Move to project, which both utilize the checkDestinationProjectValues() function to check his values.

Details

The vulnerability lays in the function checkDestinationProjectValues in the /app/Model/TaskDuplicationModel.php file, line 88 :

 public function checkDestinationProjectValues(array &$values)
    {	
        // Check if the assigned user is allowed for the destination project
        if ($values['owner_id'] > 0 && ! $this->projectPermissionModel->isUserAllowed($values['project_id'], $values['owner_id'])) {
            $values['owner_id'] = 0;
        }

        // Check if the category exists for the destination project
        if ($values['category_id'] > 0) {
            $values['category_id'] = $this->categoryModel->getIdByName(
                $values['project_id'],
                $this->categoryModel->getNameById($values['category_id'])
            );
        }

        // Check if the swimlane exists for the destination project
        $values['swimlane_id'] = $this->swimlaneModel->getIdByName(
            $values['project_id'],
            $this->swimlaneModel->getNameById($values['swimlane_id'])
        );

        if ($values['swimlane_id'] == 0) {
            $values['swimlane_id'] = $this->swimlaneModel->getFirstActiveSwimlaneId($values['project_id']);
        }

        // Check if the column exists for the destination project
        if ($values['column_id'] > 0) {
            $values['column_id'] = $this->columnModel->getColumnIdByTitle(
                $values['project_id'],
                $this->columnModel->getColumnTitleById($values['column_id'])
            );

            $values['column_id'] = $values['column_id'] ?: $this->columnModel->getFirstColumnId($values['project_id']);
        }

        // Check if priority exists for destination project
        $values['priority'] = $this->projectTaskPriorityModel->getPriorityForProject(
            $values['project_id'],
            empty($values['priority']) ? 0 : $values['priority']
        );

        return $values;
    }

As we can see, there's a check in this part of the code to check if the User is allowed to move to the project declared :

if ($values['owner_id'] > 0 && ! $this->projectPermissionModel->isUserAllowed($values['project_id'], $values['owner_id'])) {
            $values['owner_id'] = 0;
}

However, only assigning 0 to the owner_id variable is not enough because it doesn't prevent the code from keeping running.
This means that unauthorized users can still add tasks to other projects.

Note: It is also necessary to check the owner_id value and make sure it cannot be modified by the users as someone can equal to the owner id of the project that users is trying to exploit and that way bypass the isUserAllowed() function

PoC

Go to any task you wish to move and click on Move to Project
Select a random project you have, click Save, and intercept the request.
Change the value project_id to any project ID you want.
After that, the task gets added to the Project you've chosen ( even tho it's not yours )

Note: The admin project showed in the video it's a personal project.

2023-05-28.19-38-16.mp4

Impact

This allows a user with low privileges to create or transfer tasks to any project within the software, even if they have not been invited or the project is personal.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing Access Control allows User to move and duplicate tasks to any project in the software

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Severity

CVSS base metrics

CVE ID

Weaknesses

Credits