- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 01.02.2024
Last edited by cbay - 01.02.2024
FS#24 - Security Report:Broken Access Control (BAC) in [admin.alwaysdata.com]
Security Report:Broken Access Control (BAC) refers to a security vulnerability where users are able to access or manipulate resources that they are not authorized to
Introduction:
Broken Access Control (BAC) refers to a security vulnerability where users are able to access or manipulate resources that they are not authorized to. In this report, we will discuss an instance of BAC where a user is able to delete a technical support ticket to which they have been invited, even though they do not have the necessary permissions to do so.
The user who is added to the ticket does not have the permission to delete the ticket, he is not the one who created it.
Command used to delete:https://admin.alwaysdata.com/support/"Ticket_Number"/delete/
Steps to reproduce the bug:
1- Open a technical support ticket
2- Add a user with you in the ticket
3- Try the delete order I sent you
4- You will notice that the invited user can delete the ticket completely and this is not his prerogative
Impact:
The impact of this vulnerability is significant as it compromises the integrity and confidentiality of the technical support system. Unauthorized deletion of tickets can lead to loss of important information, disruption of support services, and potential security breaches if sensitive information is contained within the tickets.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
There is no concept of "owner" of a ticket. All participants have the same rights, so if you add someone to a ticket, they can do whatever they want with it. That's not a vulnerability or security issue, it's on purpose.
However, deleting a ticket was not a deliberate feature (there's no button or link to do it). It worked simply because most objects you interact with on our administration panel can be deleted, and tickets were not treated as an exception in that regard.
But since we never intended to let users delete tickets, we've removed the possibility to do it.
Kind regards,
Cyril
Well, that means it's a vulnerability where an unauthorized user can delete the ticket.
How much bounty will I get?
As I just said, they were authorized.
You told me it was allowed and in the same words you told me that this was not an intentional method, that is, access was allowed to an unauthorized person.
This is a vulnerability called [access controls]
You can search for them, in an intentional unintentional way An unauthorized user can do something they shouldn't have done
I hope to reconsider this report, thank you
Let me try again:
* any participant can do whatever he wants in a ticket, so there is no "unauthorized person"
* being able to delete a ticket was not done on purpose, so it was removed
Well, the user can do whatever they like in the ticket but can't delete it, that's what I concluded from your first reply, I tried it and all the time the users who were added could delete the tickets.
He is an authorized user who does everything in the ticket except to delete it, which is an unintentional behavior.
This unintentional behavior is considered a security vulnerability
You can review the report and make sure
That's not what I said, read again my first message:
I said they weren't allowed to, but they did it and they did something they shouldn't do
Yes, you said it, but I said they were allowed to.
I think I've made my point clear, I'll close this report.
Hi,
As the owner of the ticket, I have added People with me, I am the only one who can delete the ticket, but the other members have the authority to send messages and close the ticket, and deleting the ticket is the exclusive authority of the one who opened the ticket.
I hope that you will review the report and give me a reward, after you have fixed the bug