IDOR at /drafts/publish/
HackerOne report #429908 by lucky_sen on 2018-10-28:
Summary: I found IDOR vulnerability at the endpoint
/drafts/publish which enable me to publish unauthorised drafts.
There is a feature in discussion where we can save our review as draft and then publish it later. I notice that the
ID parameter are not properly check before publish any draft review so i am able to publish any one draft review even there discussion are confidential and i don't have access on it .
Steps To Reproduce:
- Make 2 accounts A and B and create separate merge requests in both of them.
- Make a draft review in both merge requests by clicking Start a review. Note down B's draft id from the response.
- Go through A's account and publish a comment by clicking Add comment now.
- Intercept the request and change the Id parameter with B's draft id. (B's draft successfully published)
Attacker are able to publish some one confidential draft with out any authentication.
Warning: Attachments received through HackerOne, please exercise caution!