- Broken Access Controls in Risk Create Information
- Affected Product: DeltaRM 1.2
- Vendor: DeltaRM
- Severity: High
- Vulnerability Class: Broken Access Controls
- Status: Fixed
- Author(s): Renato Cruz =======================================================================
An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.
As an authenticated user, send the following request
GET /risque/administration/referentiel/json/create/categorie2?id_cat1=*risk id* HTTP/1.1 Host: deltarm.com X-Requested-With: XMLHttpRequest Cookie: PHPSESSID=*session id*
The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.
- With the exception of public resources, deny by default.
- Log access control failures, alert admins when appropriate (e.g. repeated failures).
- Rate limit API and controller access to minimize the harm from automated attack tooling.
- JWT tokens should be invalidated on the server after logout.
- Developers and QA staff should include functional access control unit and integration tests.
- 26-10-2021: Vulnerability disclosed to DeltaRM
- 28-10-2021: Acknowlegement from vendor
- 11-12-2021: Fix released by the vendor
- 10-01-2022: Retest performed, vulnerability fixed