Nginx UI Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access and Modification of User Resources

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Nginx UI versions through 2.3.3. This vulnerability enables authenticated users to access, modify, and delete resources belonging to other users. The issue arises because the application's base Model structure does not include a user_id field, and resource endpoints query by ID without verifying user ownership. This flaw creates a complete authorization bypass in multi-user environments. Additionally, sensitive data such as DNS API tokens and ACME private keys is stored in plaintext, exacerbating the vulnerability by allowing immediate credential theft without decryption.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of user resources, including DNS credentials stored in plaintext. This could allow an attacker to gain full control over DNS zones, modify DNS records, issue fraudulent SSL certificates, and potentially access cloud infrastructure, depending on the stolen credentials.

Reproduction

To reproduce this vulnerability, an authenticated user can exploit the IDOR by accessing the '/api/dns_credentials/' endpoint with IDs that belong to other users. The response will include plaintext API tokens for various DNS providers, which can then be used for malicious purposes, such as modifying DNS records or intercepting traffic to victim domains.

Remediation

To address this vulnerability, it is recommended to add user ownership fields to the application's data models, implement authorization checks to ensure users can only access their own resources, and encrypt sensitive data before storage.