Security vulnerabilities

  • Status Assigned
  • Assigned To
    nferrari
  • Private
Attached to Project: Security vulnerabilities
Opened by freetb - 15.02.2024
Last edited by nferrari - 04.03.2024

FS#34 - Unvalidated Input vulnerability in Class_Join feature allows unauthorized access to classes

Description

An unvalidated input vulnerability has been identified in the class joining process of the platform. By fuzzing the teacher ID parameter in the class_join URL, an attacker can potentially join any class without proper authorization. This issue poses a significant security risk and may lead to unauthorized access to sensitive information and class benefits.

Impact

The potential impact includes:

a) Unauthorized access to sensitive class information
b) Compromised data privacy for both students and instructors.

Proof-of-Concept

To reproduce the vulnerability, follow these steps:

1) First, we log in a test account. Next, we replay this invite URL I got from an actual tutor invite, but now we manipulate the teacher ID value to grant us unvalidated access to certain classes.
This is the invite URL:

https://admin.alwaysdata.com/academic/attach/?teacher=<TEACHER_ID>

2) Fuzz different values for the ID parameter to find classes that can be accessed without proper authorization. A bit flipper attack would provide the best results.

3) Upon finding a class with a vulnerable ID, join the class by providing the manipulated URL to the unauthorized user.

Mitigation

1) Implement proper input validation and sanitization for the class ID parameter to ensure that only authorized users can join classes. This can be done by assigning a temporary validation token per class_join request.

2) In the absence of token validation, the teacher_id could be encrypted to a longer, more obfuscated value to reduce predictability.

POC || Bit Flipper Video: https://file.io/qy91eQRASzyo

Admin

Hi,

Thank you for your report.

I just confirmed this behavior, which should not be possible. An issue has been created on our internal TODO list, and a better management of invitations will be deployed later this year.

However, except the fact that the user can be attached to a random existing class, no security issue is involved since there is no access to any data of the class or its students.

Please come back to us through Support section of the administration panel with this task as a reference.

Regards,

Okay thanks. I used the same ticket as the first bug: https://admin.alwaysdata.com/support/76658

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing