Security Vulnerability Report: IDOR — Unauthorized Post & Comment Deletion
Hello @DogukanUrker,
I'm a security researcher and found an IDOR (Insecure Direct Object Reference) vulnerability in FlaskBlog.
Vulnerability Summary
Severity: High (CVSS 8.1)
Type: IDOR — Missing Authorization Check (CWE-639)
Affected Files
app/routes/post.py lines 45–51
Description
In post.py, the /post/<url_id> route handles POST requests with post_delete_button and comment_delete_button fields. There is no check that the currently logged-in user is the author of the post/comment before deleting it.
# post.py — MISSING ownership check
if "post_delete_button" in request.form:
delete_post(post.id) # any logged-in user can delete any post!
return redirect("/")
Compare with the correct check in dashboard.py:
# dashboard.py — CORRECT
if session["username"].lower() == username.lower():
if "post_delete_button" in request.form:
delete_post(request.form["post_id"])
Proof of Concept
Any authenticated user can delete any other user's post:
POST /post/<any_url_id>
Cookie: session=<attacker_session>
Content-Type: application/x-www-form-urlencoded
post_delete_button=1
Fix
if "post_delete_button" in request.form:
if post.author != session.get("username") and session.get("user_role") != "admin":
abort(403)
delete_post(post.id)
return redirect("/")
Same fix needed for comment_delete_button — check comment.username == session["username"] before deleting.
Reported by: Javohir Abdurazzoqov (security researcher)
Security Vulnerability Report: IDOR — Unauthorized Post & Comment Deletion
Hello @DogukanUrker,
I'm a security researcher and found an IDOR (Insecure Direct Object Reference) vulnerability in FlaskBlog.
Vulnerability Summary
Severity: High (CVSS 8.1)
Type: IDOR — Missing Authorization Check (CWE-639)
Affected Files
app/routes/post.pylines 45–51Description
In
post.py, the/post/<url_id>route handles POST requests withpost_delete_buttonandcomment_delete_buttonfields. There is no check that the currently logged-in user is the author of the post/comment before deleting it.Compare with the correct check in
dashboard.py:Proof of Concept
Any authenticated user can delete any other user's post:
Fix
Same fix needed for
comment_delete_button— checkcomment.username == session["username"]before deleting.Reported by: Javohir Abdurazzoqov (security researcher)