Disclaimer
This advisor is referred to my other security advisor, where GitHub asked for separate posts in order to get CVE IDs.
Arbitrary privilege escalation
Description
An arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file, between line 36 and line 49:
if "userDeleteButton" in request.form:
Log.info(
f"Admin: {session['userName']} deleted user: {request.form['userName']}"
)
Delete.user(request.form["userName"])
if "userRoleChangeButton" in request.form:
Log.info(
f"Admin: {session['userName']} changed {request.form['userName']}'s role"
)
changeUserRole(request.form["userName"])
These lines of codes are right before the control of the user role, so they are executed even if the user is not an admin.
Another vulnerability showed in the code is that an arbitrary user could delete any other user of the blog, but escalating the privileges would allow anyway to do that, so the privilege escalation vulnerability is worst.
PoC
The "test" user's profile before the attack. As can be seen, it is non privileged (Role: User).
The image below shows the crafted request made using the "test" user.
The "test" user's profile after the attack. The user Role now is admin, giving it complete access to all the functionalities.
Solution
Move the code that checks for the user role BEFORE line 36 of the file routes/adminPanelUsers.
davidedc97 Reporter
Disclaimer
This advisor is referred to my other security advisor, where GitHub asked for separate posts in order to get CVE IDs.
Arbitrary privilege escalation
Description
An arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the
routes/adminPanelUsersfile, between line 36 and line 49:These lines of codes are right before the control of the user role, so they are executed even if the user is not an admin.
Another vulnerability showed in the code is that an arbitrary user could delete any other user of the blog, but escalating the privileges would allow anyway to do that, so the privilege escalation vulnerability is worst.
PoC
The "test" user's profile before the attack. As can be seen, it is non privileged (Role: User).
The image below shows the crafted request made using the "test" user.
The "test" user's profile after the attack. The user Role now is admin, giving it complete access to all the functionalities.
Solution
Move the code that checks for the user role BEFORE line 36 of the file
routes/adminPanelUsers.