Skip to content

Instantly share code, notes, and snippets.

@rntcruz23
Created January 17, 2022 10:44
Show Gist options
  • Save rntcruz23/8a91e6366a8247a0692c8ce2dfe87f21 to your computer and use it in GitHub Desktop.
Save rntcruz23/8a91e6366a8247a0692c8ce2dfe87f21 to your computer and use it in GitHub Desktop.
CVE-2021-44837

CVE-2021-44837

=======================================================================

  • Broken Access Controls in Risk Create Information
  • Affected Product: DeltaRM 1.2
  • Vendor: DeltaRM
  • Severity: High
  • Vulnerability Class: Broken Access Controls
  • Status: Fixed
  • Author(s): Renato Cruz =======================================================================

Summary

An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.

Reproduction Steps

As an authenticated user, send the following request

GET /risque/administration/referentiel/json/create/categorie2?id_cat1=*risk id* HTTP/1.1
Host: deltarm.com
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=*session id*

Remediation

The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.

  • With the exception of public resources, deny by default.
  • Log access control failures, alert admins when appropriate (e.g. repeated failures).
  • Rate limit API and controller access to minimize the harm from automated attack tooling.
  • JWT tokens should be invalidated on the server after logout.
  • Developers and QA staff should include functional access control unit and integration tests.

Disclosure Timeline

  • 26-10-2021: Vulnerability disclosed to DeltaRM
  • 28-10-2021: Acknowlegement from vendor
  • 11-12-2021: Fix released by the vendor
  • 10-01-2022: Retest performed, vulnerability fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment