| タイトル | Broken Access Control lead to Account Takeover in Create User with staff permisson |
|---|
| 説明 | Souce: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html
Product: Lost and Found Information System
Version: 1.0
Broken Access Control lead to Account Takeover in Create User with Staff permisson
Step 1. Login to account admin
Step 2. Go to /admin/?page=user/manage_user create a new user with type is Staff
Step 3. Login account type staff was create at step 2
Step 4. Go to /php-lfis/admin/?page=user/manage_user (even though this account has no permissions create user)
Step 5. Create a account with type is Administrator
Step 5. Login new admin account and have full permission
|
|---|
| ソース | ⚠️ https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html |
|---|
| ユーザー | huutuanbg97 (UID 45015) |
|---|
| 送信 | 2023年05月11日 16:22 (3 年 ago) |
|---|
| モデレーション | 2023年05月12日 08:01 (16 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 228886 [SourceCodester Lost and Found Information System 1.0 manage_user 特権昇格] |
|---|
| ポイント | 20 |
|---|