CVE-2023-1541 - Admin Able To Perform Operations On Themselves By Interacting With API Answer
Description
When setting a password through /admin/users URI, the admin is not allowed to set their own new password through this URI. If they attempt to do so, they receive an error stating Forbidden to operate on yourself. But this is easily bypassable by interacting with the API: if you set a new password for another user, then change the user_id parameter within the request to the admin user ID.
The admin user is also able to suspend themselves by interacting with the API. This can be done by suspending a user, then changing the user_id parameter to their own user ID, such as 1 in my case.
Proof of Concept
{"password":"testingtest99","user_id":"1"}
Reproduction Steps
- Go to
/admin/users - Add a new user
- Click action on the newly created user, then click Set new password
- Open up your browser’s network monitor & send the request to set a new password. The URI that the request will be made to is /answer/admin/api/user/password
- Right-click the request, edit & resend it & modify the
user_idparameter within the request to be the user ID of the admin user (in my case, it was 1) - Send the request
Notice that you are then logged out of the admin user account and cannot login with the old credentials again.
Not only are you able to set a new password for the user, but you are also able to suspend the admin account completely. Simply change the payload to:
{"user_id":"1","status":"suspended"}
Where user_id is the ID of the admin user
And change the API endpoint being sent the PUT request to: /answer/admin/api/user/status