Skip to content

[Security] IDOR: Any Authenticated User Can Delete Any Post or Comment #254

Description

Security Vulnerability Report: IDOR — Unauthorized Post & Comment Deletion

Hello @DogukanUrker,

I'm a security researcher and found an IDOR (Insecure Direct Object Reference) vulnerability in FlaskBlog.

Vulnerability Summary

Severity: High (CVSS 8.1)
Type: IDOR — Missing Authorization Check (CWE-639)

Affected Files

  • app/routes/post.py lines 45–51

Description

In post.py, the /post/<url_id> route handles POST requests with post_delete_button and comment_delete_button fields. There is no check that the currently logged-in user is the author of the post/comment before deleting it.

# post.py — MISSING ownership check
if "post_delete_button" in request.form:
    delete_post(post.id)   # any logged-in user can delete any post!
    return redirect("/")

Compare with the correct check in dashboard.py:

# dashboard.py — CORRECT
if session["username"].lower() == username.lower():
    if "post_delete_button" in request.form:
        delete_post(request.form["post_id"])

Proof of Concept

Any authenticated user can delete any other user's post:

POST /post/<any_url_id>
Cookie: session=<attacker_session>
Content-Type: application/x-www-form-urlencoded

post_delete_button=1

Fix

if "post_delete_button" in request.form:
    if post.author != session.get("username") and session.get("user_role") != "admin":
        abort(403)
    delete_post(post.id)
    return redirect("/")

Same fix needed for comment_delete_button — check comment.username == session["username"] before deleting.


Reported by: Javohir Abdurazzoqov (security researcher)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinghigh-priorityHigh priority itemssecuritySecurity-related issues

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions