LitmusChaos Broken Access Control Vulnerability in Login Response Handling

A critical broken access control vulnerability exists in LitmusChaos versions through 3.19.0. The issue arises in the authentication process at the /auth/login endpoint, where the projectID parameter can be manipulated. This manipulation allows users to gain unauthorized access to other users' projects by exploiting improper validation of client-side data. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows users to access and manipulate projects belonging to other users, bypassing established access controls. This could lead to unauthorized viewing, modification, or deletion of project data.

Reproduction

To reproduce this vulnerability, log in as a user with access to specific projects. After authentication, intercept the response from the /auth/login endpoint using a proxy tool. The response will include project IDs and associated permissions. Modify the response by replacing a project ID with one from a project that the logged-in user does not have access to, then send the manipulated response. The frontend will accept the changes, granting access to the unauthorized project.