FACTION Unauthenticated Access to Boilerplate Templates Vulnerability

A vulnerability in FACTION, a PenTesting report generation and collaboration framework, allows unauthenticated attackers to access, modify, and delete boilerplate templates. This issue arises because the AccessControlInterceptor, which manages authentication for Struts2 actions, fails to verify session validity before invoking action methods. As a result, four methods in BoilerPlateConfig can be exploited without authentication, enabling attackers to read, overwrite, deactivate, and permanently delete any template in the system.

Impact

Exploitation of this vulnerability allows for the unauthorized reading of all boilerplate templates, including private ones, the overwriting of global templates with arbitrary content, and the permanent deletion of any template without recovery options.

Reproduction

The vulnerability can be reproduced by sending requests to the affected endpoints without authentication. After creating a boilerplate template as an admin, the template can be accessed and manipulated using the vulnerable action methods, all without a valid session.

Remediation

To address this vulnerability, add a session check in the AccessControlInterceptor to reject unauthenticated requests before they reach the action methods. Additionally, each BoilerPlateConfig action method should include a session verification and, for template detail lookups, an ownership check.