Security Issue - Editing Other Users Comments

Question

Security Issue - Editing Other Users Comments

Closed this issue 6 months ago · 4 comments

Is this a BUG REPORT or FEATURE REQUEST?:

BUG
FEATURE

What happened:
It is possible to edit any user's comment with a low-privileged user, such as a customer with a User role. This can be done by tampering with the WebSocket message being sent to the server, allowing the modification of the message ID and corresponding message content to be accepted by the backend.

What did you expect to happen:
Enforce server-side validation to restrict low-privileged users from modifying others' comments via WebSocket messages, and implement role-based access control to ensure only authorized users can edit comments.

How to reproduce it (as minimally and precisely as possible):

Authenticate the system using a customer with a User role.
Access an arbitrary ticket with some comments.
Notice the admin has posted an informative comment with important data for the group.
Post a random comment in the ticket thread to be edited later.
Edit the comment you just posted and intercept the relevant WebSocket message using dedicated Proxy tools.
Edit the "item" parameter value passed in the WebSocket message to the message ID you would like to edit (message IDs can be fetched in previous WebSocket messages returned to the client, see attached video)
Notice the server accepts the modification and proceed to edit all other users' comments in all the existing tickets.

Anything else we need to know?:
I'm available for further questions.

Environment:

Trudesk Version: (Docker) polonel/trudesk:1.2.10
OS (e.g. from /etc/os-release): (Docker) Alpine Linux v3.15.4
Node.JS Version: v16.14.2
MongoDB Version: (Docker) mongo:5.0-focal
Is this hosted on cloud.trudesk.io: No

Below is a PoC that showcases a customer with a User role that changes an Admin comment in a ticket:

2024-04-20.13-33-27.mp4

Answer 1 · 2024-05-20T21:37:22.000Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Answer 2 · 2024-05-24T08:50:54.000Z

Hi, any feedback?

Answer 3 · 2024-06-24T21:37:49.000Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Answer 4 · 2024-06-30T21:37:01.000Z

This issue was closed because it has been stalled for 5 days with no activity.