Indico Broken Object Level Authorization Vulnerability

A Broken Object Level Authorization (BOLA) vulnerability exists in Indico versions through 3.3.5. This vulnerability allows attackers to read information by sending a crafted POST request to the /api/principals endpoint. The issue arises because the application design intentionally permits all users to access certain information about other user accounts, without restricting this functionality to privileged roles such as event organizers.

Impact

Exploitation of this vulnerability can lead to unauthorized access to sensitive information from other user accounts, bypassing intended authorization controls.

Reproduction

To reproduce this vulnerability, register on an Indico instance and navigate to the 'Create Event' section. Capture the POST request to the '/api/principals' endpoint using a tool like Burp Suite. Modify the 'values' parameter to include the identifier of another user (e.g., 'User:2302'). The response will include unauthorized data from the specified user account.

Remediation

Indico administrators can update to the latest version where this vulnerability has been addressed. Additionally, applying strict access controls on the '/api/principals' endpoint to limit access to authorized users only, and implementing a role-based access control (RBAC) mechanism can help mitigate this vulnerability.