FS#24 : Security Report:Broken Access Control (BAC) in [admin.alwaysdata.com]

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by monty099 - 01.02.2024
Last edited by cbay - 01.02.2024

FS#24 - Security Report:Broken Access Control (BAC) in [admin.alwaysdata.com]

Security Report:Broken Access Control (BAC) refers to a security vulnerability where users are able to access or manipulate resources that they are not authorized to

Introduction:
Broken Access Control (BAC) refers to a security vulnerability where users are able to access or manipulate resources that they are not authorized to. In this report, we will discuss an instance of BAC where a user is able to delete a technical support ticket to which they have been invited, even though they do not have the necessary permissions to do so.

The user who is added to the ticket does not have the permission to delete the ticket, he is not the one who created it.

Command used to delete:https://admin.alwaysdata.com/support/"Ticket_Number"/delete/

Steps to reproduce the bug:

1- Open a technical support ticket
2- Add a user with you in the ticket
3- Try the delete order I sent you
4- You will notice that the invited user can delete the ticket completely and this is not his prerogative

Impact:
The impact of this vulnerability is significant as it compromises the integrity and confidentiality of the technical support system. Unauthorized deletion of tickets can lead to loss of important information, disruption of support services, and potential security breaches if sensitive information is contained within the tickets.

Closed by cbay
01.02.2024 11:38
Reason for closing: Invalid

Comments (10)
Related Tasks (0/0)

cbay commented on 01.02.2024 10:04

Hello,

There is no concept of "owner" of a ticket. All participants have the same rights, so if you add someone to a ticket, they can do whatever they want with it. That's not a vulnerability or security issue, it's on purpose.

However, deleting a ticket was not a deliberate feature (there's no button or link to do it). It worked simply because most objects you interact with on our administration panel can be deleted, and tickets were not treated as an exception in that regard.

But since we never intended to let users delete tickets, we've removed the possibility to do it.

Kind regards,
Cyril

monty099 commented on 01.02.2024 10:07

Well, that means it's a vulnerability where an unauthorized user can delete the ticket.

How much bounty will I get?

cbay commented on 01.02.2024 10:27

As I just said, they were authorized.

monty099 commented on 01.02.2024 10:34

You told me it was allowed and in the same words you told me that this was not an intentional method, that is, access was allowed to an unauthorized person.
This is a vulnerability called [access controls]
You can search for them, in an intentional unintentional way An unauthorized user can do something they shouldn't have done
I hope to reconsider this report, thank you

cbay commented on 01.02.2024 11:16

Let me try again:

* any participant can do whatever he wants in a ticket, so there is no "unauthorized person"
* being able to delete a ticket was not done on purpose, so it was removed

monty099 commented on 01.02.2024 11:24

Well, the user can do whatever they like in the ticket but can't delete it, that's what I concluded from your first reply, I tried it and all the time the users who were added could delete the tickets.
He is an authorized user who does everything in the ticket except to delete it, which is an unintentional behavior.
This unintentional behavior is considered a security vulnerability
You can review the report and make sure

cbay commented on 01.02.2024 11:29

the user can do whatever they like in the ticket but can't delete it, that's what I concluded from your first reply

That's not what I said, read again my first message:

All participants have the same rights, so if you add someone to a ticket, they can do whatever they want with it.

monty099 commented on 01.02.2024 11:36

But since we never intended to let users delete tickets, we've removed the possibility to do it.

I said they weren't allowed to, but they did it and they did something they shouldn't do

cbay commented on 01.02.2024 11:38

I said they weren't allowed to

Yes, you said it, but I said they were allowed to.

I think I've made my point clear, I'll close this report.

monty099 commented on 02.02.2024 13:39

Hi,

As the owner of the ticket, I have added People with me, I am the only one who can delete the ticket, but the other members have the authority to send messages and close the ticket, and deleting the ticket is the exclusive authority of the one who opened the ticket.
I hope that you will review the report and give me a reward, after you have fixed the bug

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task