Removing a user from a private group doesn't remove them from group's project, if their project's role was changed
Title: Removing a user from a private group doesn't remove him from group's project, if his project's role was changed
Scope: None
Weakness: Improper Access Control - Generic
Severity: Medium (6.3)
Link: https://hackerone.com/reports/310185
Date: 2018-01-29 16:09:39 +0000
By: @rpadovani
Summary: (a) rogue user is added to a private group with dozen of projects (b) The role in some projects is changed for the rogue user (c) rogue is fired, and removed from the group: he still has access to projects where his role was changed
Description:
the (b) can happen for a lot of different reasons:
- rogue is added as master - knowing this vulnerability, he decreases his privileges to stay in some projects (this is the only malicious one)
- rogue is added as developer, but for some projects he becomes responsible, and is promoted to master
- rogue is added as reporter, and then he is promoted for a project, and so on.
When an admin removes an user from a private group, there is no indication that the user still has access to private projects, if role was changed.
I suggest one of these solutions:
- add an alert, showing which project he will still have access
- he is removed from every project
Steps To Reproduce:
- admin creates superSecretGroup
- admin creates bunch of projects
- admin adds myFirstCTO as master in the group
- myFirstCTO is bad and he is fired
- myFirstCTO changes his role in every project
- admin removes myFirstCTO from group's member
- myFirstCTO has still access to everything. As long as admin doesn' t go to the single project members page, he will have no idea
Step 3-5 can happen for a lot of different reasons, also not malicious. I found out because I was removed from a group as "developer", but I was master of some projects and still had access to them
Impact
A user can still see all resources of a project of a secret group after he has been removed from the group