Bug #68: [Security Audit ] 3-Broken Access Control - E-Arogya - Redmine

Actions

Copy link

Bug #68

closed

Feature #65: Security Audit

[Security Audit ] 3-Broken Access Control

Added by Kalyan Battula about 1 year ago. Updated 7 months ago.

Status:

Closed

Priority:

High

Assignee:

Kranti Boddu

Category:

Target version:

Security Audit

Start date:

17/04/2024

Due date:

% Done:

Estimated time:

Deployed In:

Category:

Description

Broken Access Control
CWE : CWE-425
Description :
The application allows an unauthenticated user to access the pages that should be
accessible to the administrator only. This happens due to the improper implementation
of access controls set by the application.
Affected Path(s) :
https://earogya.satragroup.in/change-password *-Applicable to entire application
Impact :
Attackers acting as users or administrators, or users using privileged functions have the
ability of creating, accessing, updating or deleting every record.
Recommendation :
The default should always be denial.
Everyone should be denied access to everything, and then every specific role can
be explicitly granted access for each function needed.
Log failed attempts to access features to make sure everything is configured
correctly.
Reference:
https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
Evidence/Proof Of Concept :
Step 1: In the application it was observed that certain internal pages were accessible to the
end user with out any authentication.

Files

clipboard-202404171532-uersf.png (432 KB) clipboard-202404171532-uersf.png

Kalyan Battula, 17/04/2024 03:32 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

E-Arogya

Custom queries

Bug #68

[Security Audit ] 3-Broken Access Control

Updated by Kalyan Battula about 1 year ago

Updated by Kranti Boddu 12 months ago

Updated by Kranti Boddu 12 months ago

Updated by Sivakanth Kesiraju 12 months ago

Updated by Sivakanth Kesiraju 12 months ago

Updated by Gautam Kumar 7 months ago