The vulnerability lies in the “view attachment” of the tasks . When a user uploads the file to the Task, the attachment is given a numeric number and is increased +1 on further uploads. It is easy for any user to view and download all the files uploaded to the tasks by any user. The access is not controlled with the session or csrf token.
Steps to Reproduce:
- Connect to the server login with user A and visit the webpage. I used the provider “us.cloudamo.com”
- Visit https://us.cloudamo.com/apps/deck and create a task.
- Upload any file to the attachments and capture the request. The request will looks like “https://us.cloudamo.com/apps/deck/cards/8420/attachment/30” where 30 is the ID of the uploaded attachment.
- Login with user B and access the URL and you should be able to view the attachment of user A.
- Since the attachment IDs are numerical number with poor entropy can be easily brute-forced and one can get all the uploaded attachments by all the users of the particular provider.
Impact
Unauthorized user can view and download the files of other users. This may leak the sensitive information of users.