Privilege escalation from user with "add user" to super admin in thorsten/phpmyfaq

Valid

Reported on

Feb 14th 2023

Description

Before I created this submission, I read this report: https://huntr.dev/bounties/258cd498-7275-4b12-ac73-79c9ba3e58e4/. I was afraid that my submission would be a duplicate of that. After reading it carefully, I decided to make a report because my report is not exploiting the backup file feature, but it pure from an admin mistake.

Proof of Concept

1. Login with user who have user right to add user
2.Login with user who can only add user
3.Add Super Admin

See somethings wrong? yups.

It's very funny that someone with only add user rights can make a super admin. It's like a lower role can elevate themselves to a higher role.

Impact

privilege escalation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago

isdkrisna

commented 7 months ago

Researcher

POC in Video >>> https://drive.google.com/file/d/18X2m_NVBfluah93cK4ZLnJt7UtpG5kVS/view?usp=share_link

A thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago

Thorsten Rinne validated this vulnerability 7 months ago

isdkrisna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne gave praise 7 months ago

You're right, there's a missing check

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Thorsten Rinne marked this as fixed in 3.1.12 with commit ae6c1d 7 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 31st 2023

Thorsten Rinne published this vulnerability 6 months ago

to join this conversation