Broken Access Control — NodeBB v3.6.7
Title: Broken Access Control - on NodeBB v3.6.7Date: 22/2/2024
Exploit Author: Vibhor Sharma
Vendor Homepage: https://nodebb.org/
version: 3.6.7
I identified a broken access control vulnerability in nodeBB v3.6.7, enabling attackers to access restricted information intended solely for administrators. Specifically, this data is accessible only to admins and not regular users. Through testing, I discovered that when a user accesses the group section of the application and intercepts the response for the corresponding request, certain attributes are provided in the JSON response. By manipulating these attributes, a user can gain access to tabs restricted to administrators. Upon reporting this issue, it was duly acknowledged and promptly resolved by the developers.
Steps To Reproduce:
1) The user with the least privileges needs to navigate to the group section.
2) Intercept the response for the group requests.
3) In the response modify certain parameters:
“ “system”:0,”private”:0,”isMember”:true,”isPending”:true,”isInvited”:true,”isOwner”:true,”isAdmin”:true, “ “.
4) Forward the request and see that the attacker can access the restricted information.
The issue was acknowledged and resolved by the Organisation in the same version.
Impact:
Attacker was able to access the restricted tabs for the Admin group which are only allowed the the administrators.