- Status Closed
-
Assigned To
xlefloch - Private
Opened by ranj3et - 20.06.2025
Last edited by xlefloch - 24.06.2025
FS#185 - IDOR Leading to Disclosure of All Organization Database Users
Hi Team,
Description:
I have found that there is a feature to create a duplicate of a database, and during that process, there is an option to choose a recipient. This endpoint lacks proper access control. If an attacker inputs the recipient ID of another organization's database user, it discloses their name.
Additionally, the recipient ID is sequential, numerical, and easily enumerable — making it guessable.
Steps to Reproduce:
1. Log in to Organization A and attempt to create a duplicate of a database. Choose recipient and from this endpoint :
<code> https://admin.alwaysdata.com/database/duplicate/@@/?_field_account=@@ </code> and copy the `field_account` parameter.
2. Now, log in to Organization B. Try to create a duplicate database, and when choosing the recipient, capture request using burp suite and from this endpoint
https://admin.alwaysdata.com/database/duplicate/@@/?_field_account=@@
replace the `field_account` parameter with the one copied from Organization A.
You will see that the user details of Organization A are disclosed.
POC Video:
https://drive.google.com/file/d/1u2qZ7wC8nNquBNFJ4kwWoU-oZsXzI-go/view?usp=sharing
Regards,
Ranjet
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
The bug has been fixed, can you confirm?
Regards,
Hi,
I have checked, and this bug has been patched.
Regards,
Ranjeet