Open-Xchange: IDOR - Deleting other user's reminders just by id

2017-01-17T10:54:19
ID H1:198969
Type hackerone
Reporter inhibitor181
Modified 2017-09-28T07:20:16

Description

Hello, I have found that one can delete other user's reminders just by passing the id. The folder id, user id and other linking data is not passed and not validated (by making a normal delete requests all these parameters are passed, but they don't seem to be validated)

POC

``` PUT /appsuite/api/reminder?action=delete&session=619f92c3343e426d968f6782e5eaba4a HTTP/1.1 Host: sandbox.open-xchange.com Connection: close /**/

{"id":5} ```

Response

``` HTTP/1.1 200 OK Server: nginx /**/

{"data":[5]} ```

The reminder with id 5 does not belong to the logged user.

I have also attached a video to see the exploit made. As you will see, I will be logged with user 2, then make burp requests to get all my reminders. User 2 will have 2 reminders. Then I will switch to user 3 in incognito and you can see that this user has just 1 reminder with another id. Then, from this user I will make a request to delete a reminder from user 2 just by passing the id. I will click this 2 times and after this, I will switch to user 2 and see that his reminder has been deleted by user 3. The users can be identified by the passes session id in the request and you will see this is different.