You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
It is possible to edit any user's comment with a low-privileged user, such as a customer with a User role. This can be done by tampering with the WebSocket message being sent to the server, allowing the modification of the message ID and corresponding message content to be accepted by the backend.
What did you expect to happen:
Enforce server-side validation to restrict low-privileged users from modifying others' comments via WebSocket messages, and implement role-based access control to ensure only authorized users can edit comments.
How to reproduce it (as minimally and precisely as possible):
Authenticate the system using a customer with a User role.
Access an arbitrary ticket with some comments.
Notice the admin has posted an informative comment with important data for the group.
Post a random comment in the ticket thread to be edited later.
Edit the comment you just posted and intercept the relevant WebSocket message using dedicated Proxy tools.
Edit the "item" parameter value passed in the WebSocket message to the message ID you would like to edit (message IDs can be fetched in previous WebSocket messages returned to the client, see attached video)
Notice the server accepts the modification and proceed to edit all other users' comments in all the existing tickets.
Anything else we need to know?:
I'm available for further questions.
Environment:
Trudesk Version: (Docker) polonel/trudesk:1.2.10
OS (e.g. from /etc/os-release): (Docker) Alpine Linux v3.15.4
Node.JS Version: v16.14.2
MongoDB Version: (Docker) mongo:5.0-focal
Is this hosted on cloud.trudesk.io: No
Below is a PoC that showcases a customer with a User role that changes an Admin comment in a ticket:
2024-04-20.13-33-27.mp4
The text was updated successfully, but these errors were encountered:
Is this a BUG REPORT or FEATURE REQUEST?:
What happened:
It is possible to edit any user's comment with a low-privileged user, such as a customer with a User role. This can be done by tampering with the WebSocket message being sent to the server, allowing the modification of the message ID and corresponding message content to be accepted by the backend.
What did you expect to happen:
Enforce server-side validation to restrict low-privileged users from modifying others' comments via WebSocket messages, and implement role-based access control to ensure only authorized users can edit comments.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
I'm available for further questions.
Environment:
Below is a PoC that showcases a customer with a User role that changes an Admin comment in a ticket:
2024-04-20.13-33-27.mp4
The text was updated successfully, but these errors were encountered: