Disclaimer
This advisor is referred to my other security advisor, where GitHub asked for separate posts in order to get CVE IDs.
Arbitrary comment delete
Description
When deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID.
The code that causes the problem is in routes/post.py, line 77:
if "commentDeleteButton" in request.form:
Delete.comment(request.form["commentID"])
PoC
In the image above, the commentID requested for deletion is NOT owned by the user that made the request.
Solution
Before deleting a comment, check if the user that is making the request owns the comment referred by commentID.
davidedc97 Reporter
Disclaimer
This advisor is referred to my other security advisor, where GitHub asked for separate posts in order to get CVE IDs.
Arbitrary comment delete
Description
When deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID.
The code that causes the problem is in routes/post.py, line 77:
PoC
In the image above, the commentID requested for deletion is NOT owned by the user that made the request.
Solution
Before deleting a comment, check if the user that is making the request owns the comment referred by commentID.