Improper Privilege Management in uvdesk/core-framework

Valid

Reported on

Jul 19th 2021


✍️ BUG

privilege escalation bug to pin a threads

🕵️‍♂️ Proof of Concept

1. Frist from admin account goto http://localhost/uvdesk/public/en/member/agents and add new user called user B with Agent role .
Now gives user-B all tikceting permission like can update/add/edit/delete/lock/pin to a ticket etc .
Also gives bellow permission

Ticket View--->Individual Access

So, here user-B can access only ticket that is assigned to him .

2. Now admin create a new ticket and the ticketing url will be like http://localhost/uvdesk/public/en/member/ticket/view/1 .
Dont assign this ticket to user B .
So, user B should not seee this ticket.\

3. Now goto user B account and here user B cant see above ticket using url http://localhost/uvdesk/public/en/member/ticket/view/1 . user B get permission denied .
Finally user-B sent bellow request to pin a threads

PATCH /en/member/thread/action/6884640 HTTP/1.1
Host: bbounty.uvdesk.com
Cookie: cf_clearance=ef9a97e5ca3741a3a96a4c9831b71f8079ef6ac4-1626160435-0-250; UVSESSID=0000000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://bbounty.uvdesk.com/en/member/ticket/view/2
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 72
Origin: https://bbounty.uvdesk.com
Te: trailers
Connection: close
ACCOUNT: TEST2

{"bookmark":1,"id":6884640,"ticketId":"1381331","updateType":"bookmark"}

Here in this url change ticket-id and thread-id and forward the request and see threads is pinned by user-B who does not have permission .

💥 Impact

privilege escalation bug to pin threads .

We have contacted a member of the uvdesk/core-framework team and are waiting to hear back a year ago
uvdesk/core-framework maintainer has invalidated this vulnerability a year ago

we found this bug in Uvdesk open source and we fixed it here -: https://github.com/uvdesk/core-framework/commit/1591db934af9e36f830834c0acddbc8d8528750e

The disclosure bounty has been dropped
The fix bounty has been dropped
Jamie Slome
a year ago

Admin


@uvdesk - should this be marked as invalid?

Just checking on behalf of @ranjit-git.

sanjaybhattwebkul
a year ago

I had marked it invalid by mistake. But it was a genuine issue. and we fixed it here.

Jamie Slome
a year ago

Admin


It looks like the issue is in a different repository, compared to the repository mentioned in this report?

sanjaybhattwebkul
a year ago

1 . find public function threadXHR . inside Core-framework-> Controller->Thread.php

2 . download and add code like this.

3 . here is the code

Jamie Slome
a year ago

Admin


@maintainer @ranjit-git - I have updated the report to point to the correct repository, and have reset the status of the report to pending.

Feel free to mark as valid and confirm the patch when you are ready.

uvdesk/core-framework maintainer validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
uvdesk/core-framework maintainer confirmed that a fix has been merged on 361b8c a year ago
The fix bounty has been dropped
to join this conversation