| عنوان | AstrBotDevs AstrBot 4.24.2 Insecure Direct Object Reference (CWE-639) |
|---|
| الوصف | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the event processing logic in `astrbot/core/astr_main_agent.py` of AstrBot.
The application fails to validate delimiter characters when extracting session IDs from user-controlled WebChat events. By injecting a `!` character into the `session_id` parameter (e.g., `attacker!victim_session_id`), the server's `.split("!")[-1]` logic will extract the victim's session ID as the target. This allows any authenticated attacker to associate their actions with another user's session and arbitrarily overwrite the victim's session metadata, such as the display title.
# Vulnerable Code
File: astrbot/core/astr_main_agent.py
Method: handle_event
Why: The code uses an unsafe string splitting operation `event.session_id.split("!")[-1]` on an attacker-controlled variable that has not been sanitized against delimiter injection.
# Reproduction
1. Log into the AstrBot Dashboard via `/api/auth/login` to obtain an authentication token.
2. Identify or enumerate a target victim's session ID (e.g., UUID format).
3. Connect to the WebSocket `/api/unified_chat/ws`.
4. Send a message with `session_id` set to `attacker!{victim_session_id}` containing the command `//rename EXPLOIT_RENAMED`.
5. The backend will rename the victim's session display name in the database.
# Impact
- Arbitrary modification of metadata for any user's session on the platform.
- Impairment of data integrity and potential disruption of automated workflows that rely on accurate session metadata. |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/91a7f955143099e1747424707dfad0f9 |
|---|
| المستخدم | Eric-a (UID 96353) |
|---|
| ارسال | 07/05/2026 01:32 PM (29 أيام منذ) |
|---|
| الاعتدال | 31/05/2026 09:14 AM (24 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367491 [AstrBotDevs AstrBot 4.24.2 astr_main_agent.py astr_main_agent session_id تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|