majorzazz
commented
7 years ago @seamustuohy, I believe this was closed by https://github.com/ASL-19/civicdr-backend/pull/13/files as well, no?
Closed seamustuohy closed 7 years ago
majorzazz
commented
7 years ago @seamustuohy, I believe this was closed by https://github.com/ASL-19/civicdr-backend/pull/13/files as well, no?
seamustuohy
commented
7 years ago Yeah!
Same finding as Issue #11 but adding in that SP's should not be able to update their own rating values.
Before the web application stores data in the database, it enforces a whitelist of allowed keys on the received data. This whitelist is adapted for each particular endpoint. It was discovered that the /sp_profiles/:id and /ip_profiles/:id endpoints use an overly permissive whitelist of keys. This occurs when the profile of a user is being updated.
The highlighted keys show that any service provider can, for instance, change their own rating and openid values. When a service provider or implementing partner overwrite their own openid value, during the next login process, the account setup workflow is triggered again. This will create a new account in the backend of the application, therefore allowing to flood the system with new service providers or implementing partners.
It is recommended to verify the business need for having all keys that are exposed via the current whitelist to actually be included in this list. Any key that the end user should not be able to modify must be removed. Please note that this seems to hold for the whitelisted rating or openid keys.