Skip to content

If I know your session's objectId, I can delete it without any auth #3896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AndrewLane opened this issue Jun 1, 2017 · 4 comments
Closed

If I know your session's objectId, I can delete it without any auth #3896

AndrewLane opened this issue Jun 1, 2017 · 4 comments
Labels
type:bug Impaired feature or lacking behavior that is likely assumed

Comments

@AndrewLane
Copy link
Contributor

Issue Description

Looks like the documentation from here:

http://docs.parseplatform.org/rest/guide/#deleting-sessions

That says "You can only delete other sessions that belong to the same user." is false. If a session object id is leaked, it can be deleted with a request that only has the X-Parse-Application-Id header.

Steps to reproduce

  1. Create an anonymous user with a request like this:
POST /parse/users/ HTTP/1.1
Host: localhost:1337
Content-Type: application/json
X-Parse-Application-Id: myAppId
Cache-Control: no-cache

{
    "authData": {
        "anonymous": {
            "id": "8ba115f2-db2f-4de9-a976-e3cfd18d8be1"
        }
    }
}
  1. Note the sessionToken in the response
  2. Look up the session objectId with a request like this:
GET /parse/sessions/me HTTP/1.1
Host: localhost:1337
X-Parse-Application-Id: myAppId
X-Parse-Session-Token: r:2e43f46b20a3c6420043d3299d7dcead
Content-Type: application/json
Cache-Control: no-cache
  1. Note the objectId
  2. Try to delete the session object with an unauthenticated request like this
DELETE /parse/sessions/VapNXYViLW HTTP/1.1
Host: localhost:1337
X-Parse-Application-Id: myAppId
Cache-Control: no-cache

Expected Results

You should have to prove you are a given user (with a session token) before you're allowed to delete sessions of that user.

Actual Outcome

The session is deleted

Environment Setup

  • Server
    • parse-server version: commit hash 9ad8697
    • Operating System: Windows
    • Localhost or remote server? localhost
@flovilmart
Copy link
Contributor

Thanks for the report, do you want to provide a fix?

@AndrewLane
Copy link
Contributor Author

I do not have the capacity to provide that fix at this time, sorry.

@flovilmart flovilmart added type:bug Impaired feature or lacking behavior that is likely assumed up-for-grabs labels Jun 5, 2017
@pungme
Copy link
Contributor

pungme commented Jun 9, 2017

I might have time to check on this over the weekend. @flovilmart Any tips on where should I look at?

pungme added a commit to pungme/parse-server that referenced this issue Jun 13, 2017
@pungme
add fix to parse-community#3896, can delete session without any auth …
e33b9e9 
…if you know objectId
@pungme pungme mentioned this issue Jun 13, 2017
Closed
@flovilmart
Copy link
Contributor

Closing as fixed!

@parseplatformorg parseplatformorg mentioned this issue Jan 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug Impaired feature or lacking behavior that is likely assumed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix #3896, If I know your session's objectId, I can delete it without any auth pungme/parse-server
3 participants
@flovilmart @AndrewLane @pungme