Parisneo LollMS Friend Request IDOR Vulnerability Allowing Unauthorized Response Actions

A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in Parisneo LollMS versions prior to 2.2.0. This vulnerability allows any authenticated user to accept or reject friend requests on behalf of other users. The issue arises in the 'respond_request()' function within 'backend/routers/friends.py', where proper authorization checks are missing. The '/api/friends/requests/{friendship_id}' endpoint does not verify if the user is involved in the friendship or is the intended recipient of the request. As a result, this vulnerability can lead to unauthorized actions, privacy violations, and potential social engineering exploits.

Impact

Exploitation of this vulnerability allows unauthorized users to accept or reject friend requests for other users, potentially forcing them into friendships without consent. This could disrupt social connections and privacy, especially if the friendship involves access to private conversations or data.

Reproduction

To reproduce this vulnerability, an authenticated user can send a friend request to another user. Once the request is sent, the attacker can use their token to accept the request by manipulating the 'friendship_id' parameter in the '/api/friends/requests/{friendship_id}' endpoint. The absence of authorization checks will allow the request to be accepted, even if the user is not the intended recipient or involved in the friendship.

Remediation

Users are advised to update to LollMS version 2.2.0 or later, where this vulnerability has been fixed.