[Vulnerability IDOR] #2355
Comments
|
I am surprised that nobody in the development team cares about this report. Maybe they are busy with TheHive 5. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Request Type
Vulnerability IDOR
Work Environment
Problem Description
In this same version 4.1.16-1 you can use the “_id” parameter of a user and place it in the other user and you can switch to that new profile regardless of the profile of one user and another.
Steps to Reproduce
Using BurpSuite activate the "intercept is on" and capture the login with the correct credentials.
In burpsuite you get the following:
{
"user":"[email protected]",
"password":"EDSecr3t12677849*rRHYWs"
}
This will send it to the Repeater in BurpSuite and replace the user with another user and not put a password:
{
"user":"[email protected]",
"password":""
}
Then we see the response from the server with a 200 OK
Note: the user edwin.grullon must be logged in the application
After a 200 OK in the response within BurpSuite, we proceed to copy the parameter “_id”:"~81948463" and paste it in another domain user that is registered and logged in TheHive. Then right click, Request in browser, In original session.
We copy the URL and copy it in the browser where the user maria.acosta is logged in the application.
We refresh the page and click on the arrow to go back in the browser.
And it already appears logged in with the user juan.perez who is registered in TheHive.
Possible Solutions
Update to the latest version to ensure that the control mechanisms are properly hardened on the server side.
References: https://cwe.mitre.org/data/definitions/639.html
Complementary information
Discovery date: 02/15/2022
Device version: 4.1.16-1
Affected components: TheHive-Projects 4.1.16-1
CVSS v3: 7.1
CWE: CWE-639
Applicant name: Edwin Grullon Aybar
Email: [email protected]
The text was updated successfully, but these errors were encountered: