| 제목 | AstrBotDevs AstrBot 4.24.2 Insecure Direct Object Reference (CWE-639) |
|---|
| 설명 | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the event processing logic in `astrbot/core/astr_main_agent.py` of AstrBot.
The application fails to validate delimiter characters when extracting session IDs from user-controlled WebChat events. By injecting a `!` character into the `session_id` parameter (e.g., `attacker!victim_session_id`), the server's `.split("!")[-1]` logic will extract the victim's session ID as the target. This allows any authenticated attacker to associate their actions with another user's session and arbitrarily overwrite the victim's session metadata, such as the display title.
# Vulnerable Code
File: astrbot/core/astr_main_agent.py
Method: handle_event
Why: The code uses an unsafe string splitting operation `event.session_id.split("!")[-1]` on an attacker-controlled variable that has not been sanitized against delimiter injection.
# Reproduction
1. Log into the AstrBot Dashboard via `/api/auth/login` to obtain an authentication token.
2. Identify or enumerate a target victim's session ID (e.g., UUID format).
3. Connect to the WebSocket `/api/unified_chat/ws`.
4. Send a message with `session_id` set to `attacker!{victim_session_id}` containing the command `//rename EXPLOIT_RENAMED`.
5. The backend will rename the victim's session display name in the database.
# Impact
- Arbitrary modification of metadata for any user's session on the platform.
- Impairment of data integrity and potential disruption of automated workflows that rely on accurate session metadata. |
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/91a7f955143099e1747424707dfad0f9 |
|---|
| 사용자 | Eric-a (UID 96353) |
|---|
| 제출 | 2026. 05. 07. PM 01:32 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 31. AM 09:14 (24 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367491 [AstrBotDevs AstrBot 4.24.2 astr_main_agent.py astr_main_agent session_id 권한 상승] |
|---|
| 포인트들 | 20 |
|---|