Broken Access Control - on NodeBB v3.6.7

EDB-ID:

51930

CVE:

N/A




Platform:

Multiple

Date:

2024-03-28


Exploit Title: Broken Access Control - on NodeBB v3.6.7

Date: 22/2/2024

Exploit Author: Vibhor Sharma

Vendor Homepage: https://nodebb.org/

Version: 3.6.7

Description:

I identified a broken access control vulnerability in nodeBB v3.6.7,
enabling attackers to access restricted information intended solely
for administrators. Specifically, this data is accessible only to
admins and not regular users. Through testing, I discovered that when
a user accesses the group section of the application and intercepts
the response for the corresponding request, certain attributes are
provided in the JSON response. By manipulating these attributes, a
user can gain access to tabs restricted to administrators. Upon
reporting this issue, it was duly acknowledged and promptly resolved
by the developers.



Steps To Reproduce:
1) User with the least previlages needs to neviagte to the group section.
2) Intercept the response for the group requets.
3) In the response modify the certian paramters : "
*"system":0,"private":0,"isMember":true,"isPending":true,"isInvited":true,"isOwner":true,"isAdmin":true,
**" *".
4) Forward the request and we can see that attacker can access the
restricted information.

*Impact:*
Attacker was able to access the restricted tabs for the Admin group
which are only allowed the the administrators.