[
https://issues.apache.org/jira/browse/JSPWIKI-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Juan Pablo Santos RodrÃguez closed JSPWIKI-1141.
------------------------------------------------
> Insecure Direct Object Reference can abort any id workflow
> ----------------------------------------------------------
>
> Key: JSPWIKI-1141
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1141
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.11.0-M8
> Environment: Windows new version
> Firefox version 84.0.1
> Reporter: Nguyen Dang Khai
> Priority: Critical
>
> * Summary:
> The function does not check whether the id is owned by the current user or
> not lead to Vulnerable can abort any id workflow of other user.
> * Analyzer:
> In *Workflow.jsp*, line 78 :
> {code:java}
> if( "abort".equals(request.getParameter("action")) )
> {code}
> After that :
> Line 83:
> {code:java}
> int id = Integer.parseInt( request.getParameter( "id" ) );
> {code}
> After found id match. In line 92 *kill workflow* without check session id of
> user.
> {code:java}
> w.abort( wikiContext );
> {code}
> > With action decide, in line 53, function use:
> {code:java}
> DecisionQueue dq = wiki.getManager( WorkflowManager.class
> ).getDecisionQueue();
> {code}
> can *protect idor* lead to decide id workflow.
> * This is request vulnerable:
> {code:java}
> GET /Workflow.jsp?id=1&action=abort HTTP/1.1
> Host: jspwiki-wiki.apache.org
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
