Invia #189163: Pre-Authentication Admin Account Takeover in Inventory Management System 1.0informazioni

TitoloPre-Authentication Admin Account Takeover in Inventory Management System 1.0
Descrizione## Summary The password reset feature in SourceCodester Inventory Management System 1.0 does not properly validate user authorization during password reset. This allows any unauthorized user to reset passwords of arbitrary users. ## Issue Description A remote attacker can send a POST request to the edit_update.php endpoint. This attack requires knowledge of the username of the user for login. By changing the user_id parameter, the attacker can change the password of an arbitrary account. Knowledge of the ID is prefered, but can easily be bruteforced by iterating up from 1 until an error is returned. ## Affected URL/Area <host>/ample/app/action/edit_update.php ## Risk Rating - Risk: **HIGH** - Exploitation Difficulty: **LOW** ## CVSS Justification ### Network The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet. This kind of vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). ### Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. ### None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack. ### None The vulnerable system can be exploited without interaction from any user. ### Changed An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. ### None There is no loss of confidentiality within the impacted component. ### Low Modification of data is possible, but the negative security effects of the modification is limited. Only the account passwords are changed, no other data. ### High There is a total loss of availability. All users are effectively locked out of their accounts. ## Steps to reproduce Verify that the user with ID=1 has username "[email protected]", this is default. You can change this if you so choose. Request ``` POST /ample/app/action/edit_update.php HTTP/1.1 Host: <HOST HERE> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 45 user_id=1&password=hacked!&c_password=hacked! ``` Login at /ample/login.php with the credentials: ``` [email protected]:hacked! ``` You are now logged in as the default administrator. This login will not work if this account has been deleted or the username has changed. ## Affected Demographic/User Base Any users of this service for inventory management are locked out of their accounts. If the account administrator has a predictable username, then the entire service could be compromised. ## Recommended Fix Add RBAC checks to all php actions. Do not let users reset the passwords of other users without highly protected administrator permissions. ## References ### Authorization https://cwe.mitre.org/data/definitions/284.html https://cwe.mitre.org/data/definitions/285.html https://martellosecurity.com/kb/mitre/cwe/285/ https://docs.guardrails.io/docs/vulnerability-classes/insecure-authentication/improper-authentication https://www.invicti.com/blog/web-security/how-to-avoid-authentication-and-authorization-vulnerabilities/ ## Notes For the issued CVE ID, please credit Michael Blunt as the discovering researcher. List contact email as [email protected]. ## Impact ### Attack Scenario An attacker could use this to reset the password of a valid administrator account. The attacker could then log in normally and use all tools as an administrator.
Utente
 mikel22 (UID 51822)
Sottomissione31/07/2023 16:35 (3 anni fa)
Moderazione05/08/2023 18:45 (5 days later)
StatoAccettato
Voce VulDB236218 [SourceCodester Inventory Management System 1.0 Password edit_update.php user_id escalationi di privilegi]
Punti17

Do you want to use VulDB in your project?

Use the official API to access entries easily!