| タイトル | AstrBotDevs AstrBot 4.24.2 Insecure Direct Object Reference (CWE-639) |
|---|
| 説明 | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the event processing logic in `astrbot/core/astr_main_agent.py` of AstrBot.
The application fails to validate delimiter characters when extracting session IDs from user-controlled WebChat events. By injecting a `!` character into the `session_id` parameter (e.g., `attacker!victim_session_id`), the server's `.split("!")[-1]` logic will extract the victim's session ID as the target. This allows any authenticated attacker to associate their actions with another user's session and arbitrarily overwrite the victim's session metadata, such as the display title.
# Vulnerable Code
File: astrbot/core/astr_main_agent.py
Method: handle_event
Why: The code uses an unsafe string splitting operation `event.session_id.split("!")[-1]` on an attacker-controlled variable that has not been sanitized against delimiter injection.
# Reproduction
1. Log into the AstrBot Dashboard via `/api/auth/login` to obtain an authentication token.
2. Identify or enumerate a target victim's session ID (e.g., UUID format).
3. Connect to the WebSocket `/api/unified_chat/ws`.
4. Send a message with `session_id` set to `attacker!{victim_session_id}` containing the command `//rename EXPLOIT_RENAMED`.
5. The backend will rename the victim's session display name in the database.
# Impact
- Arbitrary modification of metadata for any user's session on the platform.
- Impairment of data integrity and potential disruption of automated workflows that rely on accurate session metadata. |
|---|
| ソース | ⚠️ https://gist.github.com/YLChen-007/91a7f955143099e1747424707dfad0f9 |
|---|
| ユーザー | Eric-a (UID 96353) |
|---|
| 送信 | 2026年05月07日 13:32 (28 日 ago) |
|---|
| モデレーション | 2026年05月31日 09:14 (24 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367491 [AstrBotDevs AstrBot 4.24.2 astr_main_agent.py astr_main_agent session_id 特権昇格] |
|---|
| ポイント | 20 |
|---|