Sushmi-pal Invoice-System Profile Workflow Improper Authorization Vulnerability Allowing Insecure Direct Object Reference

A vulnerability exists in Sushmi-pal Invoice-System versions up to a0a3faa16dee2621b231ae227333f5761607283b, specifically within the Profile Workflow component. The issue arises from improper authorization handling in the file '/profile', where the application fails to verify that the requested profile ID belongs to the authenticated user. This flaw allows remote attackers to access or modify any user's profile data by manipulating the ID in the request. The vulnerability has been publicly disclosed and is currently unpatched.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private profile information of other users, arbitrary modification of user data such as email and name, and potential account takeover by bypassing account recovery mechanisms.

Reproduction

To reproduce this vulnerability, send a POST request to the '/profile/{id}' endpoint, replacing '{id}' with the ID of the profile to be accessed or modified. The request must include the desired changes in the profile data, such as name and email. The server will process the request without verifying if the ID belongs to the authenticated user, allowing unauthorized modifications.

Remediation

To address this vulnerability, implement authorization checks to ensure that profile actions are tied to the authenticated user. This can be done by using 'auth()->user()' to manage profile actions and by applying authorization policies to verify that the user ID matches the current session. Additionally, consider using non-sequential identifiers to prevent easy enumeration of user profiles.