HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #60
From team h4ck!nb3rg
New advisory by : churchy
Affected service(s): ultrashare
Severity [lmh] : medium
Ok, here is the next one:
===== Problem =====
when a user uploads a file, a unique id is assigned to it. only the user who uploaded the file should be able to delete it. but if another registered user uses the button to delete a file and modifies the request using a proxy, files of other users can be
deleted. therefore the form parameter "file" (hidden field) has to be modified. the app then deletes it an returns: File test was successfully deleted
===== Impact =====
as descibed above, any files of the service can be deleted if you are registered.
===== Fix =====
in the file db.rb, function deleteFile is only checked if the id exists and it is deleted. you can enhance the sql statement by checking additionally whether the user is the owner of the file:
@db.execute("delete from files where id=? and owner=?",id,user)
to make this work you also have to change the function header, so that the parameter "user" exists and is also passed on to the function from main.rb.
Rating
[3] This bug is new to me.