Broken Access Control – on NodeBB v3.6.7

• Exploit Database
• 43 阅读

• 作者： Vibhor Sharma
  日期： 2024-03-28
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51930/

• Exploit Title: Broken Access Control - on NodeBB v3.6.7
  
  Date: 22/2/2024
  
  Exploit Author: Vibhor Sharma
  
  Vendor Homepage: https://nodebb.org/
  
  Version: 3.6.7
  
  Description:
  
  I identified a broken access control vulnerability in nodeBB v3.6.7,
  enabling attackers to access restricted information intended solely
  for administrators. Specifically, this data is accessible only to
  admins and not regular users. Through testing, I discovered that when
  a user accesses the group section of the application and intercepts
  the response for the corresponding request, certain attributes are
  provided in the JSON response. By manipulating these attributes, a
  user can gain access to tabs restricted to administrators. Upon
  reporting this issue, it was duly acknowledged and promptly resolved
  by the developers.
  
  
  
  Steps To Reproduce:
  1) User with the least previlages needs to neviagte to the group section.
  2) Intercept the response for the group requets.
  3) In the response modify the certian paramters : "
  *"system":0,"private":0,"isMember":true,"isPending":true,"isInvited":true,"isOwner":true,"isAdmin":true,
  **" *".
  4) Forward the request and we can see that attacker can access the
  restricted information.
  
  *Impact:*
  Attacker was able to access the restricted tabs for the Admin group
  which are only allowed the the administrators.