Authentication Bypass Using an Alternate Path or Channel in requarks/wiki

Valid

Reported on

May 8th 2022

Steps to reproduce

  1. 1. Log into Administrator account
  2. 2. Navigate to User section
  3. 3. Create a new User, call it testUser pass is 12345678
  4. 4. Navigate to Groups section and create a new group, call it testGroup
  5. 5. Give a "manage:group" permission for testGroup and assign testUser to group
  6. 6. Log into testUser account and navigate to Groups --> Permissions section
  7. 7. Click on Update Group and intercept it by BurpSuit Iterceptor
  8. 8. Change "permissions":["manage:groups"], to "permissions":["manage:system"]
  9. 9. Relog in and obverse that we can manage system
  10. 10. It can't be done via GUI
  11. 11. Video PoC: https://youtu.be/yd0uFCwEBiE

Impact

User can get root user permissions

We are processing your report and will contact the requarks/wiki team within 24 hours. a year ago
We have contacted a member of the requarks/wiki team and are waiting to hear back a year ago
Nicolas Giard validated this vulnerability a year ago
n1k1x86 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nicolas Giard marked this as fixed in 2.5.281 with commit 78d02d a year ago
Nicolas Giard has been awarded the fix bounty
This vulnerability will not receive a CVE
n1k1x86
a year ago

Researcher

Greets! Are you not against assigning a CVE as a maintainer? Huntr will do it all automatically with your agreement. Thanks for the reply in advance! This vulnerability was found in collaboration with @scara31 (https://huntr.dev/users/scara31)

n1k1x86
a year ago

Researcher

@admin Hey, sorry for the ping, could you please assign a CVE for this one if maintainer doesn't mind it?

Jamie Slome
a year ago

Admin

Sorted 👍

n1k1x86
a year ago

Researcher

Hi! I'm very pleased, thank you!

to join this conversation