Summary
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
Details
modules/utenti/actions.php is reachable directly via http://<IP>:8080/modules/utenti/actions.php and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the administrator group.
The file explicitly sets:
$skip_permissions = true;
include_once __DIR__.'/../../core.php';
core.php then invokes:
Thus, disabling any authentication and permission enforcement. As a result, this file processes operations based on the op parameter in the POST request, not only update_user. Sensitive fields like idgruppo and others can be updated without verifying anything.
PoC
A target username exists, such as "agent" with an ID of 4. No authentication or cookies are required. Send the following POST request via Burp Suite or similar:
The target's group is updated in the database.
Verify the changes in the database before and after the POST request:
Changes also visible in the administrator panel, they have been moved from the Agenti group to Amministratori.
Impact
An unauthenticated attacker can assign administrator privileges to existing users, modify group memberships, enable/disable accounts and other operations that are exposed in the file. This can lead to a full compromise of the application.
References
RunProgram Reporter
Summary
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (
idgruppo) by directly callingmodules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.Details
modules/utenti/actions.phpis reachable directly viahttp://<IP>:8080/modules/utenti/actions.phpand processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the administrator group.The file explicitly sets:
core.phpthen invokes:Permissions::skip();Thus, disabling any authentication and permission enforcement. As a result, this file processes operations based on the
opparameter in the POST request, not onlyupdate_user. Sensitive fields likeidgruppoand others can be updated without verifying anything.PoC
A target username exists, such as "agent" with an ID of 4. No authentication or cookies are required. Send the following POST request via Burp Suite or similar:
The target's group is updated in the database.
Verify the changes in the database before and after the POST request:
Changes also visible in the administrator panel, they have been moved from the Agenti group to Amministratori.
Impact
An unauthenticated attacker can assign administrator privileges to existing users, modify group memberships, enable/disable accounts and other operations that are exposed in the file. This can lead to a full compromise of the application.
References