Details
The vulnerability is in the file app/Controller/ProjectPermissionController.php, more specically in the function addUser().
- The users permission to add users to a project only get checked on the URL parameter
project_id. If the user is authorized to add users to this project the request gets processed.
- The users permission for the body parameter
project_id is not verified while processing the request.
PoC
- login as admin and create two projects. For example 'secret' (id=1) and 'public' (id=2).
- create a new user 'unprivileged'
- add the user 'unprivileged' to the public project as a 'Project Manager'
- Start burp and login as the unprivileged user account
- Go to the edit permissions screen on the public project (
/project/2/premissions)
- Enable intercept in burp
- Add the unprivileged user as a project manager again
- In the intercepted request change the
project_id in the post request body from 2 to 1
POST /?controller=ProjectPermissionController&action=addUser&project_id=2 HTTP/1.1
[...]
csrf_token=f607a23025aff9ab327e4e4cb0bac35b204705a2329fae4877bdc0c7ef839164&project_id=1&user_id=2&username=unprivileged&external_id=&external_id_column=&name=test&role=project-manager
- Go to the projects overview and see the private project, the unprivileged account is now a project manager for that project
Impact
This is an IDOR vulnerability with high impact.
An attacker with the "Project Manager" role on a single project may take over any other project.
Using this method the attacker could:
- access information present in project the attacker should not have access to
- change users access to project (e.g. kick them)
- delete any ticket
- edit any ticket
- delete any project
Additional notes
addUser() does not verify the csrf_token parameter sent in the body.
Details
The vulnerability is in the file
app/Controller/ProjectPermissionController.php, more specically in the functionaddUser().project_id. If the user is authorized to add users to this project the request gets processed.project_idis not verified while processing the request.PoC
/project/2/premissions)project_idin the post request body from 2 to 1Impact
This is an IDOR vulnerability with high impact.
An attacker with the "Project Manager" role on a single project may take over any other project.
Using this method the attacker could:
Additional notes
addUser()does not verify thecsrf_tokenparameter sent in the body.