CVE-2023-43194: Submitty Incorrect Access Control Vulnerability Report

Introduction

Submitty before v22.06.00 is vulnerable to Incorrect Access Control. An attacker can delete any post in the forum by modifying request parameter.

CVSS Score

Score

• CVSS v3.1: 5.4
• Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Impact

• Confidentiality: This vulnerability has no direct impact on confidentiality.
• Integrity: The attcker can delete any post in the forum.
• Availability: The attcker can delete any post in the forum.

Likelihood

• Skill Required: This attack requires basic knowledge of HTTP request.
• Conditions: The attcker must be able to create a post and delete its own post.
• Discoverability: This vulnerability is easy to find.

Problem Details

Overview

This report identifies an Incorrect Access Control vulnerability within Submitty, specifically within the post deletion functionality of the forum component. The vulnerability arises due to insufficient parameter validation. An attacker can exploit this flaw by modifying the request body.

The core issue lies in the inadequate validation of user privileges when a request is made to delete a forum post. In a typical scenario, a user should only be able to delete their own posts or, in the case of an administrator, any post. However, due to the lack of proper access control checks within the system, an unauthorized user can manipulate the HTTP request sent to the server. By altering parameters such as the post identifier within the request body, an attacker can bypass the standard permission model.

The most alarming consequence of this vulnerability is the ability of an attacker to delete any post on the forum, regardless of their permission level. This can lead to several significant issues:

1. Important educational discussions or announcements can be removed, leading to a loss of valuable information for users.
2. The vulnerability can be exploited to disrupt the normal operation of the forum, causing confusion and mistrust among users.

Affected Area

The forum component of Submitty.

Root Cause

The service used following code to check if an user can modify a post.

$post_id = $_POST["post_id"] ?? $_POST["edit_post_id"];
$post = $this->core->getQueries()->getPost($post_id);
if (!$this->core->getAccess()->canI("forum.modify_post", ['post_author' => $post['author_user_id']])) {
    return $this->core->getOutput()->renderJsonFail('You do not have permissions to do that.');
}

However, the service uses another parameter from POST request as delete parameter. The parameter thread_id is not validated by the previous check.

$thread_id = $_POST["thread_id"];
$thread_title = $this->core->getQueries()->getThread($thread_id)['title'];
if ($this->core->getQueries()->setDeletePostStatus($post_id, $thread_id, 1)) {
    $type = "thread";
}
else {
    $type = "post";
}

Therefore, an attacker can modify the request parameter in the post body and delete the post in another thread.

Steps to Reproduce

Following steps are required to reproduce the issue. An HTTP traffic interceptor is also required, such as Burp Suite.

1. Create two accounts for Submitty.
2. Access to the forum component of Submitty (any version before v22.06.00) with account A.
3. Create a new post in a nre thread to the forum.
4. Log in with account B, create another post in a new thread.
5. Enable interceptor, click delete button to send a delete request.
6. Modify the request body, change thread_id to the thread that created by account A.
7. Foward the modified request, notice that the post created by account A has been deleted.

Remediations

Verify all parameters at server side. Be aware of parameter mismatches.

References

The vulnerability has been fixed as a part of pull request 8032.

Report prepared by: Fu Chai Date: 10/31/2023