Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by rulebrekerz - 11.07.2026
Last edited by cbay - 13.07.2026

FS#374 - Critical Broken Access Control (IDOR) Leading to Multiple Unauthorized Actions and Administrator Acc

1. Summary

A Broken Access Control (IDOR) vulnerability exists in the Flyspray-based bug reporting system used by Alwaysdata. The application fails to verify whether the authenticated user is authorized to perform sensitive actions on the supplied task_id and user_id. By manipulating these identifiers, an attacker can perform unauthorized actions on behalf of other users, including privileged administrators.

2. Bug Found

The following vulnerabilities were successfully identified from the same authorization flaw:
Unauthorized Request Closure of Another User's Report
Unauthorized Modification of Watching Status
Unauthorized Voting on Behalf of Another User
Unauthorized Commenting on Private Reports
Administrator-Only Report Closure
Administrator-Only Report Visibility Change (Make Public)
Administrator Account Takeover via IDOR

3. Impact

An attacker can:
Perform unauthorized actions on reports belonging to other users.
Manipulate the bug triage workflow.
Perform administrator-only operations.
Access or expose private vulnerability reports.
Impersonate privileged users.
Fully compromise the administrator account.
Gain complete administrative control over the Flyspray instance.

4. Business Impact

Successful exploitation may result in:
Exposure of confidential vulnerability reports.
Loss of trust in the vulnerability disclosure platform.
Manipulation or deletion of valid security reports.
Unauthorized administrative actions.
Complete compromise of the bug reporting system.
Reputational damage to Alwaysdata.
Potential legal and compliance risks due to unauthorized disclosure of sensitive security information.

5. Actual Behaviour The application accepts user-controlled identifiers (task_id and user_id) without verifying ownership or permissions. As a result, attackers can modify these values to perform actions on resources belonging to other users or administrators.

6. Expected Behaviour The server should verify that the authenticated user is authorized to access or modify the requested resource before executing any sensitive action. Administrator-only operations must be restricted to authenticated administrators, and user-supplied identifiers should never be trusted without proper authorization checks.

7. Root Cause The application lacks proper server-side authorization checks and directly trusts client-supplied object identifiers (task_id and user_id), resulting in a classic Broken Access Control (IDOR) vulnerability.

8. Remediation Implement server-side authorization checks for every sensitive request.
Verify ownership of every task_id before processing actions.
Ignore client-supplied user_id; derive it from the authenticated session.
Restrict administrator-only actions using server-side role validation.
Apply the principle of least privilege.
Perform a complete authorization review across all Flyspray endpoints.
Add security regression tests to prevent similar authorization flaws.

Proof Of Concept Drive_Link→ https://drive.google.com/drive/folders/1HTugxMsYGGNsewghO29t07zKTtpc0rZR?usp=sharing

9. Conclusion The identified vulnerabilities originate from a single Broken Access Control (IDOR) flaw affecting multiple critical features of the Flyspray instance. By exploiting this weakness, an attacker can manipulate reports, impersonate users, execute administrator-only actions, disclose private reports, and ultimately achieve full administrator account takeover. Due to the severity and broad impact, this issue should be treated as Critical and remediated immediately.

Thanks

Closed by  cbay
13.07.2026 07:40
Reason for closing:  Invalid
Admin
cbay commented on 13.07.2026 07:40

Hello,

We're running the latest version of Flyspray. You should report that vulnerability to them.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing