Hey everyone, I'm sure you've noticed that most of our posts have disappeared. Not a big issue, there was only a handful of them and it was mostly just posting our podcast episodes from YouTube. Turns out, I made a big oopsie.
On the permalink page for each post (the dedicated post page), there are post control buttons (edit, delete) that appear if the current user has proper permissions. None of you will see these controls, and that's by design. However, there was a problem.
In order to avoid accidental deletions, I had added a modal (popup box) that asks the user to confirm that they really really wanted to delete the post. This modal, like a lot of other UI elements on my site, uses the BlazorBootstrap library. I had assumed that, like many page elements in Blazor (the framework this site is built upon), that if the modal was not being shown, then it wasn't actually being rendered to the DOM. However, it turns out this is NOT the case, and it is indeed rendered, but just hidden.
That means that any time you create a modal in your Blazor page, unless you are taking some manual measures to make sure it is unloaded, your modals will be loaded at all times. That means that any Joe Schmo from off the street can load up the page source in their browser tools and force the modal to show. In which case, you better be absolutely sure that any buttons or actions called from within that modal are properly checking authorization on the server side, otherwise the attacker has full access to any of them.
Fortunately, this was an isolated incident with relatively low stakes. I have since fixed the issue. Other privileged actions on the site were not affected, as everything else is authorized on a full-page basis, meaning if you can't do a thing, you can't access the page at all. So, in a way, I'm grateful to my anonymous friend for finding this vulnerability and teaching me this lesson in such a low-stakes manner.
On the permalink page for each post (the dedicated post page), there are post control buttons (edit, delete) that appear if the current user has proper permissions. None of you will see these controls, and that's by design. However, there was a problem.
In order to avoid accidental deletions, I had added a modal (popup box) that asks the user to confirm that they really really wanted to delete the post. This modal, like a lot of other UI elements on my site, uses the BlazorBootstrap library. I had assumed that, like many page elements in Blazor (the framework this site is built upon), that if the modal was not being shown, then it wasn't actually being rendered to the DOM. However, it turns out this is NOT the case, and it is indeed rendered, but just hidden.
That means that any time you create a modal in your Blazor page, unless you are taking some manual measures to make sure it is unloaded, your modals will be loaded at all times. That means that any Joe Schmo from off the street can load up the page source in their browser tools and force the modal to show. In which case, you better be absolutely sure that any buttons or actions called from within that modal are properly checking authorization on the server side, otherwise the attacker has full access to any of them.
Fortunately, this was an isolated incident with relatively low stakes. I have since fixed the issue. Other privileged actions on the site were not affected, as everything else is authorized on a full-page basis, meaning if you can't do a thing, you can't access the page at all. So, in a way, I'm grateful to my anonymous friend for finding this vulnerability and teaching me this lesson in such a low-stakes manner.
Posted by baphxyz
Comments
No comments yet. Be the first!
Log in to leave a comment!