Description
Hello @PanJiaChen ,
I'm Samprit Das from @redhuntlabs. I’ve identified another critical vulnerability in your application. Kindly review the attached report and address the issue at your earliest convenience.
Title: Admin Information Disclosure via Token Parameter
Observation: During testing, it has been observed that the application allows unauthorized users to access information related to any token. When we remove the session token from cookie header then any user is able to access the information but we need token id to get information.
Severity: Critical (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Resources Affected: http://192.168.1.9:9527/dev-api/user/info?token=admin-token
Affected code: https://github.com/PanJiaChen/vue-element-admin/blob/master/mock/user.js#L52
Parameter Affected: token
Technical Impact: The application lacks proper authentication and authorization checks on token-related endpoints, allowing unauthorized users to access sensitive data if they possess a valid token ID. This indicates Insecure Direct Object Reference (IDOR) vulnerability.
Business Impact: This can lead to exposure of sensitive admin or user information, increasing the risk of data breaches, reputational damage, and potential compliance violations depending on the nature of the disclosed data.
Steps to reproduce:
- Login to the editor account.
- Capture the request for the following endpoint in BurpSuite.
- http://192.168.1.9:9527/dev-api/user/info?token=admin-token and send it to repeater.
- http://192.168.1.9:9527/dev-api/user/info?token=admin-token and send it to repeater.
- Send the request and observe the response.
- Now remove the cookie and access token header from the request and observe the response.
Remediation:
Implement strict authentication and authorization checks on all endpoints that handle token-related data. Ensure that the server verifies the user's identity and permissions before processing requests. Additionally, avoid relying solely on token IDs as access control and consider using secure, unpredictable token values along with role-based access control (RBAC) to protect sensitive information.