LitmusChaos Missing Authorization Vulnerability in Project Deletion Handler

A vulnerability exists in LitmusChaos versions through 3.19.0, allowing authenticated users to delete projects belonging to others. This issue arises from inadequate authorization checks in the DELETE request handler for project deletions. The vulnerability can be exploited remotely by manipulating the projectID parameter, enabling users to delete projects they do not own.

Impact

Exploitation of this vulnerability leads to unauthorized deletion of projects, causing permanent loss of data and disruption of services associated with those projects.

Reproduction

The vulnerability can be reproduced by intercepting a DELETE request to the '/auth/delete_project/' endpoint using a tool like Burp Suite. The projectID parameter can be replaced with the ID of a project owned by another user, bypassing authorization checks and causing the project to be deleted.