search

polonel / trudesk

:coffee: :seedling: Trudesk is an open-source help desk/ticketing solution.
http://trudesk.io
Other
1.29k stars 430 forks source link

Security Issue - Editing Other Users Comments #668

Closed Sn1r closed 2 months ago

Sn1r commented 4 months ago

Is this a BUG REPORT or FEATURE REQUEST?:

What happened: It is possible to edit any user's comment with a low-privileged user, such as a customer with a User role. This can be done by tampering with the WebSocket message being sent to the server, allowing the modification of the message ID and corresponding message content to be accepted by the backend.

What did you expect to happen: Enforce server-side validation to restrict low-privileged users from modifying others' comments via WebSocket messages, and implement role-based access control to ensure only authorized users can edit comments.

How to reproduce it (as minimally and precisely as possible):

  1. Authenticate the system using a customer with a User role.
  2. Access an arbitrary ticket with some comments.
  3. Notice the admin has posted an informative comment with important data for the group.
  4. Post a random comment in the ticket thread to be edited later.
  5. Edit the comment you just posted and intercept the relevant WebSocket message using dedicated Proxy tools.
  6. Edit the "item" parameter value passed in the WebSocket message to the message ID you would like to edit (message IDs can be fetched in previous WebSocket messages returned to the client, see attached video)
  7. Notice the server accepts the modification and proceed to edit all other users' comments in all the existing tickets.

Anything else we need to know?: I'm available for further questions.

Environment:

Below is a PoC that showcases a customer with a User role that changes an Admin comment in a ticket:

https://github.com/polonel/trudesk/assets/71400526/e3940c17-7fe3-4abf-98fc-4c18a0c8c768

github-actions[bot] commented 3 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Sn1r commented 3 months ago

Hi, any feedback?

github-actions[bot] commented 2 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 2 months ago

This issue was closed because it has been stalled for 5 days with no activity.