idor allow the attacker to restrict the victim access on the editorsite

amitkh

idor allow the attacker to restrict the victim site access

info:idor allow the attacker to restrict the victim access on the editorsite
there is option to edit the segment on site and when we are editing the segment there is section name as PublishDataByEnvs there is the parameter name as id which is vulnerable for idor, when we replacing our PublishDataByEnvs id with victim id then the victim PublishDataByEnvs id is removed from the victim segment that leads to be when victim login into the website editor.domain.com then website loads all the data and fails to load the PublishDataByEnvs id of victim segment as that id is takeover by the attacker and which leads to be a dos on victim account and victim not able to access the account

#POC

step1: login in the attacker account

step2: intercepted the request while editing my segment

step3: there is the section name as PublishDataByEnvs and replaced the victim PublishDataByEnvs id there

step4:send the request

step5:when victim logged in to the account

then site try to load the all content including the segment but in segment the site unable to load PublishDataByEnvs and which leads to the dos on the victim account and vicitm not able to access the account

What happened in the backend (step-by-step)

Client request arrives — attacker sends a valid authenticated publish request whose JSON contains PublishDataByEnvs.Id = <victim_id> (replaced by the attacker).

Server accepts request — the publish handler parses the JSON and trusts the provided Id without verifying ownership or permissions.

DB operation executes — backend runs an update/delete/insert against the publish_data_by_envs table using the attacker-supplied Id. Example behavior:

UPDATE publish_data_by_envs SET owner = attacker_id, … WHERE id = <victim_id>

or DELETE FROM publish_data_by_envs WHERE id = <victim_id>

Referential state changes — the victim’s segment row(s) no longer reference the expected PublishDataByEnvs entry (it is removed or now points to attacker-controlled data). If foreign keys exist without cascading rules, references may be left dangling or set to NULL.

Cache / search index stale — any cached copy or index still expecting the original entry now fails to find it (cache not invalidated properly).

Editor reads updated state — when victim loads editor.domain.com, backend returns segment data that lacks the expected PublishDataByEnvs entry or returns an entry with unexpected values.

Editor fails to initialize — frontend code attempts to access fields of the missing entry and throws an unhandled error or fails a critical initialization path → user-facing DoS.

No authorization logs / silent success — because the server allowed the change, there may be little/no suspicious logging unless cross-account modifications were instrumented.

bounty