Psi Probe Broken Access Control Vulnerability in Session Attribute Management

A broken access control vulnerability has been identified in Psi Probe versions through 5.3.0. The issue resides in the Session Attribute Handler component, specifically within the RemoveSessAttributeController.java file. This vulnerability allows authenticated users with the 'probeuser' role to remove arbitrary session attributes from other users' sessions via the '/app/rmsattr.htm' endpoint. The application does not validate session ownership before processing attribute removal requests, enabling low-privileged attackers to delete critical session attributes, such as authorization flags, multi-factor authentication status, or role identifiers, from other users, potentially bypassing authorization controls and escalating privileges.

Impact

Exploitation of this vulnerability can lead to unauthorized removal of session attributes, allowing attackers to bypass authorization checks, manipulate multi-factor authentication requirements, disrupt role-based access controls, and alter security context objects, thereby escalating privileges within the application.

Reproduction

To reproduce this vulnerability, authenticate to Psi Probe with 'probeuser' credentials. Then, identify a target session ID from an administrator session. Use the '/app/rmsattr.htm' endpoint to remove a security-critical attribute, such as 'isAuthorized', from the identified session. The absence of authorization checks will allow the attribute removal, which can be exploited to bypass security measures and escalate privileges.

Remediation

It is recommended to implement session ownership validation and restrict attribute removal to users with administrative privileges. Additionally, protect security-critical attributes from being deleted without proper authorization.