Open-Xchange: IDOR - Downloading all attachements if having access to a shared link

ID H1:194790
Type hackerone
Reporter inhibitor181
Modified 2017-09-28T07:20:24


Hello, I have found that one can download all attachements if finds/has access to a public link (in this POC a shared task link). This is a big issue as one can download all the attachements of registered users, while the attacker is not actually logged in the application ! Also, I have found another link that leaks attachement names.

Because of the severity, I have attached a POC video.

Video description : at first, I will get a public task share link. With that link, I will have access to 2 tasks, only 1 witch has an attachement. By using burp calls, I will leak the names of other attachements. After this, I will try to view my attachement and download it. As you can see in the video, just changing the id form the link, allows me to download other restricted files !