IDOR at /drafts/publish/
HackerOne report #429908 by lucky_sen on 2018-10-28:
Summary: I found IDOR vulnerability at the endpoint /drafts/publish
which enable me to publish unauthorised drafts.
Description:
There is a feature in discussion where we can save our review as draft and then publish it later. I notice that the ID
parameter are not properly check before publish any draft review so i am able to publish any one draft review even there discussion are confidential and i don't have access on it .
Steps To Reproduce:
- Make 2 accounts A and B and create separate merge requests in both of them.
- Make a draft review in both merge requests by clicking Start a review. Note down B's draft id from the response.
- Go through A's account and publish a comment by clicking Add comment now.
- Intercept the request and change the Id parameter with B's draft id. (B's draft successfully published)
Supporting Material/References:
Impact
Attacker are able to publish some one confidential draft with out any authentication.
Thanks!
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Edited by Dennis Appelt