| عنوان | Code4Berry Decoration Management System 1.0 Improper Handling of Insufficient Privileges |
|---|
| الوصف |
Visiting the /decoration/admin/userregister.php endpoint directly, a basic user has the ability to register new users, admins or superadmins - effectively escalating their own privileges to superadmin through creating a new user with full permissions. Its not really necessary, as you already have all the privileges of a superadmin as a regular user due to the security controls only checking if you have a valid session - you are just missing the links to those actions in your side menu. This endpoint also allows a regular user to delete the profiles of anyone, including admins and superadmins. There is also a functionality to restore blocked users, which is accessible to any regular user that visits the /decoration/admin/deleted_users.php endpoint. This ability is restricted to superadmins, however, it doesn't actually restore the users as the functionality is broken. Due to the coding on the other pages, I believe if the functionality did work, then a regular user could issue the request and un-block a removed user.
-----
also I submitted a vuln right before this that said it seemed to be a duplicate, as it had the same fields as the first one I submitted, though with a different summary. here it is again , in case it automatically drops the submission.
Basic users can access /decoration/admin/userregister.php endpoint to see a list of all users, admins and superadmins, along with their full names, phone numbers and emails. You can also visit /decoration/admin/deleted_users.php to see the same information about blocked or deleted users on the app. |
|---|
| المستخدم | scumdestroy (UID 48934) |
|---|
| ارسال | 12/11/2024 04:43 AM (1 سنة منذ) |
|---|
| الاعتدال | 20/11/2024 09:11 AM (8 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 285500 [Code4Berry Decoration Management System 1.0 User userregister.php تجاوز الصلاحيات] |
|---|
| النقاط | 17 |
|---|