Brave CMS Insecure Direct Object Reference Vulnerability in Article Image Deletion

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Brave CMS versions prior to 2.0.6. This vulnerability exists in the article image deletion feature, specifically within the 'deleteImage' method of the ArticleController. The issue arises because the endpoint accepts a filename via the URL without verifying ownership. As a result, an authenticated user with edit permissions can delete images from articles belonging to other users.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of image files on the server, leading to potential loss of important data. Additionally, it causes localized availability issues for the affected articles by removing associated images.

Reproduction

To reproduce this vulnerability, authenticate as a user with article edit permissions. Then, identify an image filename and article ID that belongs to a different user. Send a POST request to the article image deletion endpoint, including the filename of the image to be deleted. The server will respond with 'HTTP 200 OK', indicating successful deletion. However, checking the images directory will reveal that the file has been permanently removed, confirming the vulnerability.

Remediation

To address this vulnerability, validate the filename against the article's stored image value to ensure that users cannot delete arbitrary files. Enforce a check that the article's image matches the filename being deleted. Additionally, apply 'basename' to the filename to remove any path traversal components, and verify article ownership against the authenticated user before allowing the deletion to proceed.