[
https://issues.apache.org/jira/browse/FINERACT-2128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin McDonald updated FINERACT-2128:
-------------------------------------
Description: [Redacted] (was: h3. Description
Insecure direct object references (IDOR) are a type of access control
vulnerability that arises when an application uses user-supplied input to
access objects directly. In this case, various parameters (example: officeId)
was not verified at the backend.
h3. Impact Details
An attacker can perform various unauthorised actions like create, delete, view
for other offices by manipulating various parameters (example: officeId)
h3. Reproduction Steps
A. Read Write user can create clients for other offices by manipulating the
`id` parameter.
# Login at [https://openmf.github.io/web-app/] or
[https://demo.mifos.io|https://demo.mifos.io/] as a Read Write User and visit
the Create Client section.
# Now click on Create Client and fill all the necessary details. Click on
Submit and make sure to intercept the POST /fineract-provider/api/v1/clients
request.
# Notice the officeId as 8, send the request to BurpSuite repeater and drop
the current request. Change the officeId to 2 and click on Send.
# Now login as a different user and notice the client to a different office
has been created.
B. Read Write User can delete clients for other offices by manipulating the
`id` parameter in the URL
# Login at [https://openmf.github.io/web-app/] or
[https://demo.mifos.io|https://demo.mifos.io/] as a Read Write User and visit
the Create Client section.
# Select any one of the clients and click on the delete button, make sure to
intercept the DELETE request.
# Send the delete request to the repeater and drop the current request. Now
Login as a different user and select any of the clients. Notice the Client ID
being displayed below the name (example: 95).
# Now Visit the request saved in the repeater and change the clientId from 97
to 95 and click on send.
# Now reload the page with clientId 95 and notice the user has been deleted.
C. Read Write User can create Identities for clients in other offices by
manipulating the `id` in URL
# Login at [https://openmf.github.io/web-app/] or
[https://demo.mifos.io|https://demo.mifos.io/] as a Read Write User. Select any
one of the clients and click on Identities Section.
# Click on add and submit all relevant details, make sure to intercept the
POST request.
# Send the intercepted request to BurpSuite repeater and drop the current
request. Now Login as a different user and select any of the clients. Notice
the Client ID being displayed below the name (example: 96).
# Now Visit the request saved in the repeater and change the clientId from 97
to 96 and click on send.
# Now reload the page with clientId 96 and notice an identity has been created.
D. Read Write User can delete Identities for clients in other offices by
manipulating the id in URL
# Login at [https://openmf.github.io/web-app/] or
[https://demo.mifos.io|https://demo.mifos.io/] as a Read Write User. Select any
one of the clients and click on Identities Section.
# Select any one of the identities and click on the delete button, make sure
to intercept the DELETE request.
# Send the delete request to the repeater and drop the current request. Now
Login as a different user and select any of the clients. Notice the Client ID
being displayed below the name (example: 96) and the Identity Id mentioned is
15.
# Now Visit the request saved in the repeater and change the clientId from 96
and the IdentityId to 15. Now click on send.
# Now reload the page with clientId 96 and notice the user has been deleted.
E. Read Write User can view user details for different offices.
# Login at [https://openmf.github.io/web-app/] or
[https://demo.mifos.io|https://demo.mifos.io/] as a Read Write User.
# Visit the Users section, located at the Admin drop down.
# Click on any of the User and intercept the GET
/fineract-provider/api/v1/users/<ID> request.
# Send the request to BurpSuite repeater and change the id from 27 to 24.
Click on Send
Notice you can view details of other users like officeName, firstname,
lastname, email address and Role permissions
Further are some more examples where an unauthorized user can create, view and
delete various functionalities for other users of different office.
F. Read write user can edit Notes for clients in other offices by manipulating
the id in URL
G. Read write user can delete Notes for clients in other offices by
manipulating the id in URL
H. Read write user can create groups for other offices by manipulating the id
and post message
I. Read write user can create notes for other groups for different offices
J. Read write user can edit notes for other groups for different offices
K. Read write user can delete notes for other groups for different offices
L. Read write user can activate groups for other offices.
M. Read write user can create Notes for clients in other offices by
manipulating the id in URL
N. Read Write user can create centers for other offices
O. Read Write User can create users for different offices
P. Read Write User can delete users for different offices
h2.
h2. Impact Details
An attacker can perform various unauthorised actions like create, delete, view
for other offices by manipulating various parameters (example: officeId)
h3. Remediation Advice
It is recommended to implement proper mapping of user sessions with various Ids
in the backend.
Please note that the fix should be implemented at all the API services.)
> Insecure Direct Object Reference
> --------------------------------
>
> Key: FINERACT-2128
> URL: https://issues.apache.org/jira/browse/FINERACT-2128
> Project: Apache Fineract
> Issue Type: Bug
> Components: Client, Security
> Reporter: Peter Chen
> Priority: Minor
> Labels: backend, security, web
>
> [Redacted]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
