Insecure Direct Object Reference (IDOR) found in Stable Help Desk Enterprise

[amjadali-110]

Hii Team
I am Amjad Ali. I want to inform you that I have identified a security issue. I reported this issue to your team via email but have not received any response, so I am raising the issue here.

• Vulnerability Name: Insecure Direct Object Reference (IDOR) in "My Tasks" Section
• CWE: CWE-639: Insecure Direct Object Reference
• Severity: High
• Date: 11-11-2024
• Product Name : Stable Help Desk Enterprise
• Version : 9.2.0

Description:

During security testing of the "Stable Help Desk Enterprise (v9.2.0)" application via the online demo environment (https://stablehelpdesk.faveodemo.com/), an Insecure Direct Object Reference (IDOR) vulnerability was identified in the "My Tasks" section. This testing was conducted in the demo/testing environment, and no real data or production environment was impacted.
The vulnerability allows unauthorized access to task details by manipulating the thread ID in the URL. By altering the task identifier, an agent can view tasks assigned to other users, leading to a potential data exposure risk. It is advised to address this issue promptly to prevent any unauthorized access in production environments.

• Actual Behavior:
  An agent can access tasks that do not belong to them by modifying the thread ID in the URL, viewing sensitive information without authorization.
• Expected Behavior:
  The application should restrict access to task details based on the logged-in user’s permissions. Users should only be able to access tasks assigned to them and should receive an "Access Denied" or "Unauthorized" response when attempting to view other users’ tasks.

Steps To Reproduce:

1. Login to the application as an Agent.
2. Navigate to the Tasks Section.
   • Observe that the "List of Tasks" shows only tasks assigned to the logged-in agent (e.g., only 2 tasks are visible).
3. Click on any task to view its details (e.g., [https://stablehelpdesk.faveodemo.com/panel/thread/37].
4. Note the URL structure, where the task is identified by a thread ID (e.g., thread/37).
5. Modify the thread ID in the URL to a different number (e.g., change 37 to 1):
   [https://stablehelpdesk.faveodemo.com/panel/thread/1].
6. Observe that you are able to access details of a task that belongs to another agent, indicating an IDOR vulnerability.

Video POC:- https://drive.google.com/file/d/1Nqc8852v3_N1qdZuRPG6BS9LL74sI48j/view?usp=sharing

Impact:

This vulnerability can lead to unauthorized access to sensitive task information, potentially exposing details such as:

• Private customer communications
• Confidential notes or internal comments
• Sensitive business data

An attacker could use this information for malicious purposes, compromising data privacy and integrity. The severity of this issue is High due to the potential for sensitive information exposure.

Remediation:

Implement Access Control: Ensure that proper access control checks are in place to validate the user's permissions before granting access to the task details. The backend should verify that the logged-in agent is authorized to view the specified task.
Use Indirect References: Avoid exposing internal identifiers like thread IDs directly in the URL. Instead, use indirect references (e.g., UUIDs or tokens) that cannot be easily guessed or manipulated.
Error Handling: Return a proper error response (e.g., HTTP 403 Forbidden) when a user attempts to access a resource they do not own.

References:

• OWASP Top 10: Broken Access Control
• CWE-639: Insecure Direct Object Reference

Thanks & Regards
Amjad Ali (Cybersecurity Researcher)