Reseller role allowed to access to admin functionalities in froxlor/froxlor
Reported on
Dec 30th 2022
Description
The reseller user can access to some admin functionality just directly accessing to it by URL, even though the menu shouldn't allow it.
Proof of Concept
- Go to https://v2.demo.froxlor.org
- Login as
reseller1 - Point to:
https://v2.demo.froxlor.org/admin_opcacheinfo.php?page=showinfo
https://v2.demo.froxlor.org/admin_mysqlserver.php?page=mysqlserver
https://v2.demo.froxlor.org/admin_cronjobs.php?page=overview
Impact
A reseller user can access to admin functionalities
- https://v2.demo.froxlor.org/admin_ipsandports.php?page=ipsandports
reseller1 has permission for "all ips" - this is simply an interface issue, he view/edit ips assigned to him -> intended
- https://v2.demo.froxlor.org/admin_mysqlserver.php?page=mysqlserver
Plain interface issue, he cannot add/edit servers, the api wont allow this due to permission check (if change_serversettings = 0 which he has, just send the form, you'll get an "not allowed")
- https://v2.demo.froxlor.org/admin_cronjobs.php?page=overview
same as 2) - simple interface issue, he cannot actually update data, as he does not have the permission for it (API side)
In addition to the ipsandports page - it's intended that the menu is not visible for the reseller because the (api based) listing is required for adding new domains - but if - which is the case in the demo - he can see all ip it is no improper authorization, he basically can see and update the ips he's assigned to. An edit is arguable of course but he cannot add new ip or add new ips (if not change_serversettings=1) due to permission checks
Ok, so the broken auth is about the ability of the reseller to see DBs and Cron List.
Anyway I'm also adding this other endpoint, https://v2.demo.froxlor.org/admin_opcacheinfo.php?page=showinfo which also can be seen from the reseller in an unintended way, I think. The reseller can also reset the OP cache.
![image] (https://i.imgur.com/xeKlNmw.png)
I think. The reseller can also reset the OP cache.
no he cannot, you could've found that out by simply clicking on the button.
Also, there's nothing really "secret" about the opcache info...if enabled in php, everyone can get these values using plain php.
Ok, so the broken auth is about the ability of the reseller to see DBs and Cron List.
It's not DBs he can see, it's DB-servers added to the system. There is no secrets there as the reseller can assign these db-servers to customers (when creating/editing a customer) - so nothing "broken auth" but just hidden in the menu by design because its simply not relevant for the reseller. Same with Cronjobs, there is no big secret there either, you have information about when the cronjobs last ran and at what interval - which for 99,9% of the froxlor installations would be default and can be seen on the demo or in the repository, nothing 'dangerous' here
It can reset if it has change_serversettings to 1 as the other functionality. Anyway I'm setting the Integrity score to none, since there is only info disclosure here.