CVE-2021-44838
=======================================================================
- Broken Access Controls in Risk Details between companies
- Affected Product: DeltaRM 1.2
- Vendor: DeltaRM
- Severity: High
- Vulnerability Class: Broken Access Controls
- Status: Fixed
- Author(s): Renato Cruz =======================================================================
Summary
An issue was discovered in Delta RM 1.2. > Using the /risque/risque/ajax-details endpoint, with a POST request indicating the risk to access with the id parameter, it is possible for users to access risks of other companies.
Reproduction Steps
As an authenticated user, send the following request
POST /risque/risque/ajax-details HTTP/1.1
Host: deltarm.com
Cookie: PHPSESSID=*session cookie*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
id=*another company id*&evalId=&appel=
Remediation
The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.
- With the exception of public resources, deny by default.
- Log access control failures, alert admins when appropriate (e.g. repeated failures).
- Rate limit API and controller access to minimize the harm from automated attack tooling.
- JWT tokens should be invalidated on the server after logout.
- Developers and QA staff should include functional access control unit and integration tests.
Disclosure Timeline
- 26-10-2021: Vulnerability disclosed to DeltaRM
- 28-10-2021: Acknowlegement from vendor
- 11-12-2021: Fix released by the vendor
- 10-01-2022: Retest performed, vulnerability fixed