- Status Closed
-
Assigned To
nferrari - Private
Opened by ubaid_one - 26.12.2025
Last edited by nferrari - 23.01.2026
FS#271 - Broken Access Control Allows Limited Access Accounts to Access Logs Through URL Manipulation
Vulnerable Assets
- Activity Log Module
- /log/{log_id}/detail/
Menu menus whose logs are accessible to limited access accounts:
1. https://admin.alwaysdata.com/site/configuration/
2. https://admin.alwaysdata.com/domain/
3. https://admin.alwaysdata.com/environment/
4. https://admin.alwaysdata.com/advanced/log/
Vulnerability Type
Broken Access Control
Vulnerability Description
In the test scenario, there are two types of accounts:
- Account A: Full access (Admin/Owner)
- Account B: Limited access
By design, account B does not have permission to view the system audit logs. The log menu is not available in account B's UI. However, by manually adding the URL path, account B can still access certain log details. By accessing the endpoint: /log/{id}/detail/
Account B successfully views audit log information without any authorization validation on the backend. This indicates that access control is only implemented at the user interface (UI) level, not the backend API.
Sensitive data accessible to account B includes:
1. Actions (Create, Update, Delete)
2. Objects (modified resources)
3. Users (accounts performing the actions)
4. Resources
5. IP addresses
6. Date and time
7. Change details (Detail)
Reproduction Steps
1. Log in using account B (limited access).
2. Ensure the audit log menu is not available in the UI.
3. Access the URL directly, for example: /log/11032585/detail/
4. Audit log details are successfully displayed even though the account does not have permissions.
Security Impact
1. Leakage of Sensitive Information
2. Reconnaissance for Advanced Attacks
3. Violation of the Principle of Least Privilege
Recommended Improvements
1. Implement authorization validation in the backend for each audit log endpoint.
2. Ensure that only roles with appropriate permissions can:
View log lists and Access log details
3. Avoid relying on UI restrictions as the sole security control.
2.mp4
(32.4 MiB)
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Thank you for your report, we will look into it shortly.
Hello Alwaysdata Security Team,
I would like to follow up on the Broken Access Control Allows Limited Access Accounts to Access Logs Through URL Manipulation vulnerability report I submitted on December 26, 2025, and received the following response:
“Thank you for your report, we will look into it shortly.”
I wanted to confirm if the report is still under review.
Thank you for your time and attention.
I look forward to hearing from you.
Sincerely,
Muchamad Alfian
Hi,
Thank you for your report, which has been validated. Can you please open a ticket on administration panel for further discussion?
Regards,
Hello, AlwaysData Security Team.
As per your instructions, I have created a new ticket through the administration panel to continue discussing this finding.
Thank you.
Hello, AlwaysData Security Team.
As per your instructions, I have created a new ticket through the administration panel to continue discussing this finding:
https://admin.alwaysdata.com/support/91517/#bottom
Thank you.
Hello, AlwaysData Security Team.
re-ticket :
As per your instructions, I have created a new ticket through the administration panel to continue discussing this finding:
re-ticket https://admin.alwaysdata.com/support/91523/#bottom
Thank you.