Bug: Users can assign less ratings than required by passing invalid choices to backend #320
Description
Disclaimer: I am a student myself and discovered this while tinkering with a ratingallocate my university deployed. As such I am limited in both my knowledge about this application, as well as my ability to give 100% detailed instructions on replication. I'm submitting this because I feel obligated to share this exploit.
Pre-requisites
- a ratingallocate where users must rank 3 choices by preference (out of n > 3 possible choices) (it doesn't have to be 3 - any number > 1 can be exploited this way). This corresponds to
strategy_05. - Assume that the total capacity of the choices is higher than the number of users needed to be distributed, i.e. every user must be assigned to some choice
- For demonstration purposes, let's assume that valid choices are 100, 101, 102, and 103.
Steps to reproduce
- As a user, navigate to the allocation form where you can give ratings to choices
- Change the body of the submit POST request so that 2 of the 3 choices include any invalid choice:
| Key | value (example "correct" request) | value (tinkered request) |
|---|---|---|
| choice 1 | 100 | 100 |
| choice 2 | 101 | 0 |
| choice 3 | 102 | 0 |
The entire body now looks like this:
action=give_rating
&sesskey=QRFJD8AgcR
&_qf__ratingallocate_strategy_order_mod_ratingallocate_view_form=1
&mform_isexpanded_id_choice_descriptions=1
&choice%5B1%5D=100
&choice%5B2%5D=0
&choice%5B3%5D=0
&submitbutton=%C3%84nderungen+speichern
Intended Behaviour
- The backend should reject the request with status code 422
I deduct this intended behaviour from the fact that the input is validated client-side: Leaving a selector empty results in an error message "you must select a state".
Actual Behaviour
- The backend accepts the request
- The invalid choices (those with choiceid
0) are filtered out by this loop - The user managed to give only one rating instead of three
Due to the graph structure the solver strategies build up and use and prerequisite 2, submitting only one rating guarantees the user an allocation to this choice. Depending on context, this might give them an unfair advantage above other users.
I hope this is helpful to you despite my lack of detailed instructions.