Rallly IDOR Vulnerability in Poll Participant Deletion Endpoint Allows Unauthorized Deletions

An insecure direct object reference (IDOR) vulnerability has been identified in Rallly, an open-source scheduling and collaboration tool, prior to version 4.5.4. This vulnerability allows any authenticated user to delete participants from polls without verifying ownership. The deletion endpoint authorizes requests based solely on participant IDs, enabling users to remove others, including poll owners, from their polls. This issue affects the integrity and availability of poll participation data.

Impact

Exploitation of this vulnerability allows unauthorized deletion of poll participants, including poll owners, disrupting poll functionality and integrity by removing participants without consent.

Reproduction

To reproduce this vulnerability, an authenticated user must intercept a deletion request made for their own participation in a poll. This can be done using a web application proxy to capture the request, which will include the participant ID. The intercepted request can then be modified to replace the participant ID with that of another user, such as a poll owner, and sent to the server. The server will process the request and delete the targeted participant from the poll.

Remediation

Users are advised to upgrade to Rallly version 4.5.4 or later, where this vulnerability has been patched.