Summary
A vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes. This access control flaw allows non-admin users to make unauthorized changes, which can disrupt the functionality and availability of the APPS.
Affected Endpoints
- /console/api/apps/{app.id}/site-enable
- /console/api/apps/{app.id}/api-enable
Authentication
Yes (normal user)
PoC
-
The web UI button for this action is disabled for normal user on APP web and API
-
The following APIs are able to unauthorized toggle the setting of APP web and API
- Normal user unauthorized disable the APP web and API successfully
Recommendation
To mitigate this issue, update the API access control mechanisms to ensure that only users with admin privileges can send requests to enable or disable apps. Implement and review role-based access controls (RBAC) for API endpoints to align with the intended permissions set in the web UI.
Impact
This vulnerability allows normal users to enable or disable apps without proper authorization, potentially causing disruption and instability within the APPs. Unauthorized changes to APPs states can lead to service downtime, data loss, and other operational issues. Properly implemented access controls are essential to maintaining the application's security and availability.
Finder Credits:
Aden Yap Chuen Zhen, BAE Systems Digital Intelligence (Malaysia) (Github ID: zn9988)
Ali Radzali, BAE Systems Digital Intelligence (Malaysia) (Github ID: H0j3n)
Summary
A vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes. This access control flaw allows non-admin users to make unauthorized changes, which can disrupt the functionality and availability of the APPS.
Affected Endpoints
Authentication
Yes (normal user)
PoC
The web UI button for this action is disabled for normal user on APP web and API
The following APIs are able to unauthorized toggle the setting of APP web and API
Recommendation
To mitigate this issue, update the API access control mechanisms to ensure that only users with admin privileges can send requests to enable or disable apps. Implement and review role-based access controls (RBAC) for API endpoints to align with the intended permissions set in the web UI.
Impact
This vulnerability allows normal users to enable or disable apps without proper authorization, potentially causing disruption and instability within the APPs. Unauthorized changes to APPs states can lead to service downtime, data loss, and other operational issues. Properly implemented access controls are essential to maintaining the application's security and availability.
Finder Credits:
Aden Yap Chuen Zhen, BAE Systems Digital Intelligence (Malaysia) (Github ID: zn9988)
Ali Radzali, BAE Systems Digital Intelligence (Malaysia) (Github ID: H0j3n)