liangliangyy DjangoBlog Improper Authorization Vulnerability in OAuth Email Binding

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in liangliangyy DjangoBlog versions through 2.1.0.0. The issue resides in the RequireEmailView within oauth/views.py, where the form_valid function improperly validates the oauthid parameter received from the client-side form. This lack of verification allows an attacker to manipulate the oauthid field to hijack another user's OAuth identity, leading to unauthorized access and account takeover via social authentication.

Impact

Exploitation of this vulnerability allows for hijacking of users' OAuth identities, resulting in unauthorized access to their accounts through social login.

Reproduction

To reproduce this vulnerability, first confirm that the endpoint exists. An HTTP 404 response indicates that the endpoint is active, but the specified OAuthUser ID does not exist. After confirming the endpoint, an attacker can log in via OAuth, tamper with the hidden oauthid field to target another user's ID, and submit their own email address. Once the confirmation link is clicked, the targeted user's OAuth account will be linked to the attacker's account.

Remediation

It is recommended to verify that the oauthid parameter belongs to the current user session before making any modifications. Additionally, consider storing the OAuth ID on the server side in the user's session.