Details
-
Bug
-
Resolution: Fixed
-
Highest
-
None
-
None
-
None
Description
Authorization bypass
(Attacker can alter another user details)
Steps -
1) Create two test users A & B
1) Login as USER A to https://openid.atlassian.com
2) Click profiles and view the source to capture the profileID of user A
for ex - you can find below similar code in profile html view source to capture profileID
<input type="button" class="button" value="Delete" onclick="location.href ='/secure/profile/editprofiles!doDelete.action?profileID=15826981&atl_token=d664b23ab7fb8664ce7690b579ff6379eec9712e'"/>
3) Now logout from user A and login as user B
4) Go to profiles
5) Enable tamper data (mozilla plugin) which is required to tamper the form
6) Change some details on profile (such as nick name, full name, email ID etc). and when clicking save button tamper the form using tamper data tool and Change user B profileid value to user A profileID. (profile id is submitted as part of form parameter value)
7) Now logout from user B and login as User A. You will be surprised to see that the data changed from userB is reflected here in User A.
Attachments
Issue Links
- has a derivative of
-
CWD-3465 Crowd OpenID server does not enforce profile ownership for edits
- Closed