Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-3464

Authorization bypass

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Highest
    • None
    • None
    • None

    Description

      Authorization bypass
      (Attacker can alter another user details)

      Steps -
      1) Create two test users A & B
      1) Login as USER A to https://openid.atlassian.com
      2) Click profiles and view the source to capture the profileID of user A
      for ex - you can find below similar code in profile html view source to capture profileID

      <input type="button" class="button" value="Delete" onclick="location.href ='/secure/profile/editprofiles!doDelete.action?profileID=15826981&atl_token=d664b23ab7fb8664ce7690b579ff6379eec9712e'"/>

      3) Now logout from user A and login as user B
      4) Go to profiles
      5) Enable tamper data (mozilla plugin) which is required to tamper the form
      6) Change some details on profile (such as nick name, full name, email ID etc). and when clicking save button tamper the form using tamper data tool and Change user B profileid value to user A profileID. (profile id is submitted as part of form parameter value)
      7) Now logout from user B and login as User A. You will be surprised to see that the data changed from userB is reflected here in User A.

      Attachments

        Issue Links

          has a derivative of

          Bug - A problem which impairs or prevents the functions of the product. CWD-3465 Crowd OpenID server does not enforce profile ownership for edits

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              cb450b25ab67 Riaz Ebrahim
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: