Summary
An insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data.
Details
The vulnerability exists in the Rallly application’s participant deletion endpoint. The backend fails to validate ownership or authorization before processing a deletion request. It assumes that anyone with a valid participant ID has the right to perform the delete action.
Using a previously disclosed information disclosure issue (GHSA-xw47-6mpg-5hww
PoC
Test Environment Setup:
Target: Local Rallly instance at http://192.168.11.109:3000/
Victim (User A): fairalien (Poll owner)
Attacker (User B): hehe (Normal participant)
Steps to Reproduce:
1- Obtain participant IDs:
Use the previous vulnerability (GHSA-xw47-6mpg-5hww
2- Intercept a legitimate delete request:
Capture the request made when the attacker deletes their own participation.
3- Modify the request and forward it:
Replace the attacker's participant ID with another user’s ID (e.g., fairalien) and send the tampered request to the server. The server accepts it and deletes the targeted participant.
4- Observe result:
The victim participant is removed from the poll even though the attacker does not own it.
Impact
This vulnerability allows unauthorized users to delete arbitrary participants from polls, including poll owners. It affects data integrity (by modifying participant data without permission) and availability (by removing participants and potentially disrupting poll functionality).
alaeddine03 Reporter
Summary
An insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data.
Details
The vulnerability exists in the Rallly application’s participant deletion endpoint. The backend fails to validate ownership or authorization before processing a deletion request. It assumes that anyone with a valid participant ID has the right to perform the delete action.
Using a previously disclosed information disclosure issue (GHSA-xw47-6mpg-5hww
PoC
Test Environment Setup:
Target: Local Rallly instance at http://192.168.11.109:3000/
Victim (User A): fairalien (Poll owner)
Attacker (User B): hehe (Normal participant)
Steps to Reproduce:
1- Obtain participant IDs:
Use the previous vulnerability (GHSA-xw47-6mpg-5hww
2- Intercept a legitimate delete request:
Capture the request made when the attacker deletes their own participation.
3- Modify the request and forward it:
Replace the attacker's participant ID with another user’s ID (e.g., fairalien) and send the tampered request to the server. The server accepts it and deletes the targeted participant.
4- Observe result:
The victim participant is removed from the poll even though the attacker does not own it.
Impact
This vulnerability allows unauthorized users to delete arbitrary participants from polls, including poll owners. It affects data integrity (by modifying participant data without permission) and availability (by removing participants and potentially disrupting poll functionality).