| Title | Code4Berry Decoration Management System 1.0 Improper Handling of Insufficient Privileges |
|---|
| Description |
Visiting the /decoration/admin/userregister.php endpoint directly, a basic user has the ability to register new users, admins or superadmins - effectively escalating their own privileges to superadmin through creating a new user with full permissions. Its not really necessary, as you already have all the privileges of a superadmin as a regular user due to the security controls only checking if you have a valid session - you are just missing the links to those actions in your side menu. This endpoint also allows a regular user to delete the profiles of anyone, including admins and superadmins. There is also a functionality to restore blocked users, which is accessible to any regular user that visits the /decoration/admin/deleted_users.php endpoint. This ability is restricted to superadmins, however, it doesn't actually restore the users as the functionality is broken. Due to the coding on the other pages, I believe if the functionality did work, then a regular user could issue the request and un-block a removed user.
-----
also I submitted a vuln right before this that said it seemed to be a duplicate, as it had the same fields as the first one I submitted, though with a different summary. here it is again , in case it automatically drops the submission.
Basic users can access /decoration/admin/userregister.php endpoint to see a list of all users, admins and superadmins, along with their full names, phone numbers and emails. You can also visit /decoration/admin/deleted_users.php to see the same information about blocked or deleted users on the app. |
|---|
| User | scumdestroy (UID 48934) |
|---|
| Submission | 11/12/2024 04:43 AM (4 months ago) |
|---|
| Moderation | 11/20/2024 09:11 AM (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 285500 [Code4Berry Decoration Management System 1.0 User userregister.php permission] |
|---|
| Points | 17 |
|---|