Trello: Normal User can add new users to group

2015-10-02T16:42:09
ID H1:92050
Type hackerone
Reporter sarwarjahan
Modified 2015-10-14T17:08:04

Description

A normal user does not have privilege to add new members to a group. But adding following HTML button (Payload), a Normal user can add new members to a group which he did not have privilege to perform Payload: <a class="button-link u-gutter js-manage-members" href="#"><span class="icon-sm icon-member"></span> Add Members</a>

Steps To Reproduce: 1. Login to Trello https://trello.com/login 2. Navigate to any team Members page for which you are a normal user 3. Add the above HTML element in the page by using Developer's tool as shown in PoC video 4. Click on the above added button 5. Give an Email address who is not a trello user 6. Click on Send button

Result: A forbidden Message is displayed by trello. But refresh the page and see that the new member is added to the group by a low privilege trello user who did not have the privilege to add members to group.

Please refer the following PoC video for steps and proof. PoC Video: https://drive.google.com/folderview?id=0B3TS39fNVVULSncyOWZtd285eWs&usp=sharing