CVE-2023-33956: Parameter based Indirect Object Referencing leading to private file exposure

Summary

IDOR vulnerability present in the application’s URL parameter, which enables any user to read files uploaded by any user, regardless of their privileges or restrictions.

Details

Vulnerability-: Indirect Object Referencing
Location-: http://localhost/kanboard/?controller=FileViewerController&action=image&project_id=2&file_id=2
Vulnerable Component-: FileViewerController
Vulnerable Parameter-: file_id

By Changing the file_id any user can render all the files where MimeType is image uploaded under /files directory regard less of uploaded by any user.
This vulnerability poses a significant impact and severity to the application’s security. By manipulating the URL parameter, an attacker can access sensitive files that should only be available to authorised users. This includes confidential documents or any other type of file stored within the application.
The ability to read these files can lead to various detrimental consequences, such as unauthorised disclosure of sensitive information, privacy breaches, intellectual property theft, or exposure of trade secrets. Additionally, it could result in legal and regulatory implications, reputation damage, financial losses, and potential compromise of user trust.

PoC

Steps to reproduce -:

1. Upload a attachment using SuperAdmin Account User User id 1

2. Creating a Normal User with the least User privilege.

3.Uploading a attachment using normal user in order to gain URL

4.Accessing SuperAdmin upload by URL Modification

Impact

The vulnerability is an Insecure Direct Object Reference (IDOR) vulnerability.

The individuals impacted by this vulnerability can vary depending on the specific context and usage of the affected application. In general, the following parties may be affected:

1. Users of the Application: If the application is a multi-user system where users can upload files, the vulnerability can impact all users. Any user’s uploaded files can be accessed by an attacker exploiting the IDOR vulnerability, potentially leading to unauthorized disclosure of their sensitive information.

2. Organization or Business: If the affected application is used within an organization or business setting, the vulnerability can have broader consequences. It can expose sensitive business data, intellectual property, confidential documents, or trade secrets to unauthorized individuals. This can result in financial losses, damage to the organization’s reputation, legal and regulatory implications, and compromised business operations.

3. Customers or Clients: If the application is used by a company that provides services to customers or clients, the vulnerability can impact them as well. For example, if the application is a file sharing platform, customers or clients may store sensitive files on the platform, which can be accessed by attackers exploiting the IDOR vulnerability. This can lead to privacy breaches, unauthorized disclosure of customer data, and loss of trust in the service provider.

It is important to recognize that IDOR vulnerabilities have the potential to impact a wide range of individuals and organizations, depending on the nature of the application and the sensitivity of the data involved.