> For the complete documentation index, see [llms.txt](https://mohamed-abdelhady.gitbook.io/cves/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mohamed-abdelhady.gitbook.io/cves/cve-2022-4809-full-account-takeover.md).

# CVE-2022-4809 - Full account takeover

CVE-2022-4809 - Full account takeover in Memos

![Untitled](https://github.com/mohamedabdelhady933/CVEs-Analyzing/assets/73122852/3947998b-0094-42f3-9a5f-5e59c42ca0f6)

### Introduction

**CVE : CVE-2022-4809**

**Description :** Account take over via changing email and username and displayed name (IDOR) in api/memo.go and api/user\_setting.go

**Version** : 0.8.3

**Product** : UseMemos/Memos

![Screenshot 2023-05-12 162710](https://github.com/mohamedabdelhady933/CVEs-Analyzing/assets/73122852/6803ffd5-0aba-4a68-9e9f-8ea2448f4445)

***

**Building The Testing Lab**

Download the [Product](https://github.com/usememos/memos) source code

Deploy with Docker in seconds

```
docker run -d --name memos -p 5230:5230 -v ~/.memos/:/var/opt/memos ghcr.io/usememos/memos:latest
```

***

**OR**

You can use the live demo [website](https://demo.usememos.com/)

***

### Static Analysis

In File `web/src/components/ChangePasswordDialog.tsx`

![Screenshot 2023-05-12 182341](https://github.com/mohamedabdelhady933/CVEs-Analyzing/assets/73122852/79fdcb6c-8f4a-4fe9-bd70-25dba98a78dc)

The front code (React) in `web/src/components/ChangePasswordDialog.tsx` handle the button click by sending the \[ id , username , nickname , email ] as arguments to patchUser function .

So in `server/user.go` File has API requests routing .Let's Check it out

![image](https://github.com/mohamedabdelhady933/CVEs-Analyzing/assets/73122852/3529a42b-e849-4c2b-ac68-8c555d3b4ce9)

![image](https://github.com/mohamedabdelhady933/CVEs-Analyzing/assets/73122852/e1709868-7b83-4773-acac-754b59a93da7)

![image](https://github.com/mohamedabdelhady933/CVEs-Analyzing/assets/73122852/b2a2bb4c-9996-42b1-bc4f-f6ec0912fee2)

This code snippet is using the Go Echo web framework to define a route for handling HTTP PATCH requests to update a user resource identified by an ID parameter.

The route is defined using the `g.PATCH` method of the `echo` package, which takes two arguments: a path pattern to match the URL path of incoming requests, and a handler function to execute when a request matches the pattern.

In this case, the path pattern is `/user/:id`, where :id is a named parameter that can match any integer value. This means that requests to paths like "/user/123" or "/user/456" will match this route, with the corresponding integer value for :id being available to the handler function.

Next, the handler retrieves the id parameter from the URL path using the Param() method of the echo.Context object, and converts it from a string to an integer using the strconv.Atoi() function. This integer value is then assigned to the userID variable, which can be used to identify the user resource being updated.

Then handling some errors if the `id` is not an integer number.

The line (8) The c.Get() method is used to retrieve a value from the context object associated with the incoming request. The argument to this method is a key that identifies the value to be retrieved. In this case, the key is obtained by calling the getUserIDContextKey() function, which presumably returns a unique string or other type that identifies the user ID value.

Then trying to find user data via calling `s.Store.FindUser()` Function with `currentUserID` argument , So till now there is no vuln flow ,let's continue check `FindUser` Function.

![image](https://github.com/mohamedabdelhady933/CVEs-Analyzing/assets/73122852/6798c387-6f95-4b94-b02d-3590c9159de3)

It just check if the userID is not null then call `findUserList` function that return all user information list and finally back with the user row data.

So let's back to patch routing code at line (15) check if there any errors back from `FindUser` function and `currentUser` variable is still null that means the user is not found.

At line (24) it call UserPatch with The `userID` argument

***

**Note**

The `userID` is the user id that got from URL `/user/123`

***

At line (28) decode the json request body and check it if there is any error. Then validate the email and insert it in the `userPatch` obbject.

At line (34) This code snippet checks whether a password field is provided in the userPatch object and whether it is not empty. If a password is provided and not empty, the method generates a hash value from the password using the `bcrypt.GenerateFromPassword()` function from the bcrypt package. The `bcrypt.GenerateFromPassword()` function takes two arguments: a byte slice representing the password, and the cost of the hash algorithm. In this case, `bcrypt.DefaultCost` is used as the cost, which is a predefined cost factor that determines how computationally expensive the hashing operation should be. If an error occurs during the hash generation process, the method returns an echo.NewHTTPError object that wraps the error with an internal error message. If the hash generation process succeeds, the method converts the byte slice result of `bcrypt.GenerateFromPassword()` to a string value and assigns it to the PasswordHash field of the userPatch object, which is a pointer to a string value. The PasswordHash field is then inserted in the userPatch object .

At line (42) Check if the `ResetOpenID` is not null and generate new one and insert it in userPatch object.

Finally the vulerable code is at line (46) Update the user information via call `s.Store.PatchUser()` function with `userPatch` object.

![image](https://github.com/mohamedabdelhady933/CVEs-Analyzing/assets/73122852/a89c274f-0283-47a1-80fe-104eec59e3e5)

**If you back to the note above , The `userID` is the user id that got from URL `/user/123` is inserted in `userPatch` object not the current user id.**

So that code is vulnerable to IDOR via changing UserId in the URL.

***

### Mitigation

Insert the current user id while updating the user information without sending the id in the request.

***

### References

<https://github.com/usememos/memos>
