Elunez Eladmin Improper Authorization Vulnerability in LocalStorageController

A vulnerability allowing arbitrary file deletion has been identified in Elunez Eladmin version 1.1. The issue arises in the LocalStorageController's deleteFile function, where the application fails to properly verify if a user has ownership of the files being deleted. Instead, it only checks for the storage:del permission. This flaw enables low-privileged users with the appropriate permission to delete files belonging to other users. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files, potentially leading to data loss and disruption of service by removing critical files.

Reproduction

To reproduce this vulnerability, a low-privileged user with storage:del permission can send a DELETE request to the /api/localStorage endpoint. The request must include a list of file IDs to delete, which can be chosen regardless of the user's ownership of those files.