Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

The "Download Raw Diff" URL is viewable by everyone

Low
P
Phabricator
Submitted None
Actions:
View on HackerOne
Reported by newfunction

Vulnerability Details

Technical details and impact analysis

Information Disclosure
mongoose This is similar to #213942, but less severe. Here is what you said in #213942: > The change makes us write files with narrow permissions (instead of broad permissions), write temporary files (instead of permanent files) and [...] If I understand your comment correctly, suppose that an Administrator creates a diff and revision and sets its visibility to "Administrators", it means that non-admin users cannot view the raw diff via a URL generated by Phabricator, even if the URL is generated randomly, is it correct? But here is what I find with repro steps: 1. Log in an Phabricator account. Then go to http://phab.local/differential/diff/create 2. Enter any raw diff. Change the "Visible to" to "Administrators". Click "Create Diff". 3. Leave "Attach To" as "Create a new Revision...". Click "Continue". 4. In the "Create Revision" page, change the "Visible to" to "Administrators" and "Editable By" to "Administrators". Click "Create New Revision". 5. In the "Differential" page, click "Download Raw Diff" on the right. After the page is fully loaded, copy the URL. 6. Open a new Private browser window (so that you are logged off). Visit the copied URL. You can see the raw diff, even if you are not logged in any account. Although you are using a temporary files for the raw diff file, it's clear that there's no permission set to this file, because anyone with the URL can view it. ## Impact I can think of two attack scenarios: 1. Let's say that every developer in my team is in the same discussion group. I post a Raw Diff URL to the group. I think I am safe to do so because Phabricator should block non-admin from viewing it. But in reality, everyone, including less trusted members, has access to the restricted raw diff file. Note that there's no warning telling me not to share the URL. 2. Suppose there's a directory listing vulnerability on my server, an attacker can use that vulnerability together with this issue to read all raw diff files in the temp folders. mongoose Sincerely, Xiaoyin

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted

Weakness

Information Disclosure