Improper Privilege Management API V2 in polonel/trudesk
May 12th 2022
There are some
api v2 doesn't check permission allow attackers to retrieve/edit information
Proof of Concept
Get users list
1. Login. 2. Go to `/api/v2/accounts?type=all`. 3. Users list return.
Create user with admin role
1. Get the admin role id in `/api/v2/accounts`. 2. Send POST to `/api/v2/accounts`.
- Create successfully.
Many api endpoint get vulnerable, i just show piece of attack vector that can happen.
The attacker takes full control of the website.
isAdmin are vulnerable
Hi, I see you have read the report. Is it hard to understand or the poc doesn't working?
Can you confirm if this was performed with an admin logged in? As in you were logged in as an admin when you returned the user list and sent the post request.
I understand changing the role id of the post created an admin, but if you were logged in as an admin this is by design.
The token/apikey sent during the post was of which user/role?
I apologize for the complicated description. Some
APIV2 doesn't check permission allow. So an authenticated users can use it (with user role or just login permission).
Chain with my another report, Attacker can get inside dashboard and takes full control of the website
This is valid and I have identified the issue. Please allow me some time before a fix is finished, as I want to double-check nothing else breaks as I implement these changes.
Confirm the bug has been fixed.
Hi @admin, can you publish this cve?
It will publish automatically 👍