Security vulnerabilities

  • Status Closed
  • Assigned To
    xlefloch
  • Private
Attached to Project: Security vulnerabilities
Opened by ranj3et - 20.06.2025
Last edited by xlefloch - 24.06.2025

FS#185 - IDOR Leading to Disclosure of All Organization Database Users

Hi Team,

Description:
I have found that there is a feature to create a duplicate of a database, and during that process, there is an option to choose a recipient. This endpoint lacks proper access control. If an attacker inputs the recipient ID of another organization's database user, it discloses their name.

Additionally, the recipient ID is sequential, numerical, and easily enumerable — making it guessable.

Steps to Reproduce:
1. Log in to Organization A and attempt to create a duplicate of a database. Choose recipient and from this endpoint :

<code> https://admin.alwaysdata.com/database/duplicate/@@/?_field_account=@@ </code>
 and copy the `field_account` parameter.

2. Now, log in to Organization B. Try to create a duplicate database, and when choosing the recipient, capture request using burp suite and from this endpoint

 https://admin.alwaysdata.com/database/duplicate/@@/?_field_account=@@ 

replace the `field_account` parameter with the one copied from Organization A.

You will see that the user details of Organization A are disclosed.

POC Video:
https://drive.google.com/file/d/1u2qZ7wC8nNquBNFJ4kwWoU-oZsXzI-go/view?usp=sharing

Regards,
Ranjet

Closed by  xlefloch
24.06.2025 08:06
Reason for closing:  Fixed
Admin

Hello,

The bug has been fixed, can you confirm?

Regards,

Hi,

I have checked, and this bug has been patched.

Regards,
Ranjeet

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing