Arbitrary Account Deletion - Insecure Direct Object Reference

[iamaldi]

Overview

This is a critical issue, it basically allows a user to delete any other account on the application.
Prerequisites are that a user is logged in.
All a user has to do is to modify the user_id parameter of the request that hits the /delacc endpoint

The Bug

The responsible code can be found below:

3RStore/_3RStore/views.py

Lines 131 to 151 in 49ccb10

	# Delete account
	@app.route('/delacc', methods=['POST'])
	def delacc():
	user_id = request.form.get('user_id')
	cur = conn.cursor()
	try:
	# First delete from `resources` so as not to violate foreign key constraints
	cur.execute('DELETE FROM resources WHERE user_id = %s',
	(user_id,)
	)
	cur.execute('DELETE FROM users WHERE id = %s',
	(user_id,)
	)
	except DatabaseError:
	cur.rollback()
	session.clear()
	flash('Account deleted. Sad to see you go :(', 'danger')
	return redirect('/')

Basically the application extracts the user_id from the untrusted user input of the form of the HTTP request.

Remediation Advice

The application should extract that information from the currently logged in user's session
session['user_id'] and not trust the form data which in the end, can be manipulated.