- Status Closed
-
Assigned To
nferrari - Private
Opened by monty099 - 18.04.2024
Last edited by nferrari - 24.04.2024
FS#48 - Clickjacking (On-click) Vulnerability in Support Ticket Attachment Deletion in admin.alwaysdata.com
*Title:* Clickjacking (On-click) Vulnerability in Support Ticket Attachment Deletion in [admin.alwaysdata.com]
*Summary:*
The support ticket system of the web application is vulnerable to a clickjacking attack that allows an attacker to trick a user into deleting attachments from their support tickets unknowingly.
On-click Delete any attachment for users in support tickets Delete any attachment for users in technical support tickets
*Steps to Reproduce:*
1. Create a support ticket in the application.
2. Attach a file to the support ticket.
3. Obtain the direct link of the attachment and append the /delete/ command to the URL.
4. Create an HTML proof-of-concept file with the following content:
html
<a href="https://admin.alwaysdata.com/support/----/delete/----">click</a>
5. Host this HTML page or send it via link to the victim.
6. Once the victim clicks on the disguised link, the attachment is deleted without their explicit consent or knowledge.
An attacker can use his location and attach an html file instead of sending a file that the user clicks on.
*Impact:*
The exploit enables unauthorized deletion of any attachment from user-created support tickets. This can result in loss of critical data and potential breach of information security, affecting data integrity and user trust.
This is in addition to this report as I explained in another way but I remembered now that the attacker had to delete any technical support ticket in the way I explained in this report
link: https://security.alwaysdata.com/task/24
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hi
Is there any update to this report?
any update?
Hi team,
Is there any update to the report?
Hi,
Thank you for this report, we will come back to you very soon.
Regards,
Your report has been validated, and a fix has been deployed.
This report is now closed.
We keep discussion by ticket for your reward.
Thank you!