#4147 Found Vulnerability:- IDOR (Insecure Direct Object Reference)
The following API endpoint allows an attacker to change account-id in the query string and receive a valid response tied to that account.
Vulnerable endpoint: GET /a/api/fastlane.json?account_id=15680&site_id=103240
How to perform:
1- Go to website (https://www.jedit.org)
2- In home page on right side you will see sourceForge Project option.
3- Open burpsuit and on the intercept and in browser click on sourceForge Project option.
4- Forward the first and second request and then you will see bunch of requests in that request.
5- You that requests you will see (https://fastlane.rubiconproject.com).
6- Send it to repeater and change the account id.
7- You will see that response is 200 OK .
Please find attached PDF report in that, I have created all the manually tested proof report.
please clarify exactly how in step 6. it is a vulnerability since the response is an error. Anyway, please send the report to sourceforge.net, because on jedit.org it is just an image and a plain link to https://www.sourceforge.net/projects/jedit/.
please clarify exactly how in step 6. it is a vulnerability since the response is an error. Anyway, please send the report to sourceforge.net, because on jedit.org it is just an image and a plain link to https://www.sourceforge.net/projects/jedit/.
I see you already created https://sourceforge.net/p/forge/site-support/27035/
*Before re-testing it first Login your account then only you will see response 200 ok:-
In 6th point after modifying the account id from request you will see that response is ok in repeater, it must not happen. If somone modify the account id it must show error code. I have also send the PDF report with POC.
according to your report HTTP is 200 with modified or unmodified account id, but json is status: "ok" with unmodified and "error" with modified account id. So it doesn't look like the changed account id was accepted.
Again, it has nothing to do with jEdit. I'm closing the ticket now.