You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a critical issue, it basically allows a user to delete any other account on the application.
Prerequisites are that a user is logged in.
All a user has to do is to modify the user_id parameter of the request that hits the /delacc endpoint
# First delete from `resources` so as not to violate foreign key constraints
cur.execute('DELETE FROM resources WHERE user_id = %s',
(user_id,)
)
cur.execute('DELETE FROM users WHERE id = %s',
(user_id,)
)
exceptDatabaseError:
cur.rollback()
session.clear()
flash('Account deleted. Sad to see you go :(', 'danger')
returnredirect('/')
Basically the application extracts the user_id from the untrusted user input of the form of the HTTP request.
Remediation Advice
The application should extract that information from the currently logged in user's session session['user_id'] and not trust the form data which in the end, can be manipulated.
The text was updated successfully, but these errors were encountered:
Overview
This is a critical issue, it basically allows a user to delete any other account on the application.
Prerequisites are that a user is logged in.
All a user has to do is to modify the
user_id
parameter of the request that hits the/delacc
endpointThe Bug
The responsible code can be found below:
3RStore/_3RStore/views.py
Lines 131 to 151 in 49ccb10
Basically the application extracts the
user_id
from the untrusted user input of the form of the HTTP request.Remediation Advice
The application should extract that information from the currently logged in user's session
session['user_id']
and not trust the form data which in the end, can be manipulated.The text was updated successfully, but these errors were encountered: