Disclaimer
This advisor is referred to my other security advisor, where GitHub asked for separate posts in order to get CVE IDs.
Authorization Bypass
Description
The code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page, but that control is not done for the pages routes/adminPanelComments.py and routes/adminPanelPosts.py.
Thus, an unauthorized user can bypass the inteded restrictions, leaking sensitive data and accessing the following pages:
- /admin/posts
- /adminpanel/posts
- /admin/comments
- /adminpanel/comments
PoC
The user accessing the page is NOT admin.
Solution
Add a control for the user role when a user tries to access the /admin/ subroutes.
davidedc97 Reporter
Disclaimer
This advisor is referred to my other security advisor, where GitHub asked for separate posts in order to get CVE IDs.
Authorization Bypass
Description
The code checks if the userRole is "admin" only when visiting the
/adminpage, but not when visiting its subroutes. Specifically, only the fileroutes/adminPanel.pychecks the user role when a user is trying to access the admin page, but that control is not done for the pagesroutes/adminPanelComments.pyandroutes/adminPanelPosts.py.Thus, an unauthorized user can bypass the inteded restrictions, leaking sensitive data and accessing the following pages:
PoC
The user accessing the page is NOT admin.
Solution
Add a control for the user role when a user tries to access the
/admin/subroutes.