Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Cannot Reproduce
-
2.11.0-M8
-
None
-
None
-
Windows new version
Firefox version 84.0.1
Description
- Summary:
The function does not check whether the id is owned by the current user or not lead to Vulnerable can abort any id workflow of other user.
- Analyzer:
In Workflow.jsp, line 78 :
if( "abort".equals(request.getParameter("action")) )
After that :
Line 83:
int id = Integer.parseInt( request.getParameter( "id" ) );
After found id match. In line 92 kill workflow without check session id of user.
w.abort( wikiContext );
> With action decide, in line 53, function use:
DecisionQueue dq = wiki.getManager( WorkflowManager.class ).getDecisionQueue();
can protect idor lead to decide id workflow.
- This is request vulnerable:
GET /Workflow.jsp?id=1&action=abort HTTP/1.1 Host: jspwiki-wiki.apache.org