Privilege escalation from user with "add user" to super admin in thorsten/phpmyfaq
Reported on
Feb 14th 2023
Description
Before I created this submission, I read this report: https://huntr.dev/bounties/258cd498-7275-4b12-ac73-79c9ba3e58e4/. I was afraid that my submission would be a duplicate of that. After reading it carefully, I decided to make a report because my report is not exploiting the backup file feature, but it pure from an admin mistake.
Proof of Concept
1. Login with user who have user right to add user
2.Login with user who can only add user
3.Add Super Admin
See somethings wrong? yups.
It's very funny that someone with only add user rights can make a super admin. It's like a lower role can elevate themselves to a higher role.
Impact
privilege escalation
POC in Video >>> https://drive.google.com/file/d/18X2m_NVBfluah93cK4ZLnJt7UtpG5kVS/view?usp=share_link