Authentication Bypass Using an Alternate Path or Channel in requarks/wiki

Valid

Reported on

May 8th 2022


Steps to reproduce

  1. 1. Log into Administrator account
  2. 2. Navigate to User section
  3. 3. Create a new User, call it testUser pass is 12345678
  4. 4. Navigate to Groups section and create a new group, call it testGroup
  5. 5. Give a "manage:group" permission for testGroup and assign testUser to group
  6. 6. Log into testUser account and navigate to Groups --> Permissions section
  7. 7. Click on Update Group and intercept it by BurpSuit Iterceptor
  8. 8. Change "permissions":["manage:groups"], to "permissions":["manage:system"]
  9. 9. Relog in and obverse that we can manage system
  10. 10. It can't be done via GUI
  11. 11. Video PoC: https://youtu.be/yd0uFCwEBiE

Impact

User can get root user permissions

We are processing your report and will contact the requarks/wiki team within 24 hours. 17 days ago
We have contacted a member of the requarks/wiki team and are waiting to hear back 16 days ago
Nicolas Giard validated this vulnerability 16 days ago
n1k1x86 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nicolas Giard confirmed that a fix has been merged on 78d02d 16 days ago
Nicolas Giard has been awarded the fix bounty
n1k1x86
16 days ago

Researcher


Greets! Are you not against assigning a CVE as a maintainer? Huntr will do it all automatically with your agreement. Thanks for the reply in advance! This vulnerability was found in collaboration with @scara31 (https://huntr.dev/users/scara31)

n1k1x86
16 days ago

Researcher


@admin Hey, sorry for the ping, could you please assign a CVE for this one if maintainer doesn't mind it?

Jamie Slome
13 days ago

Admin


Sorted 👍

n1k1x86
12 days ago

Researcher


Hi! I'm very pleased, thank you!

to join this conversation