Improper Privilege Management API V2 in polonel/trudesk
Reported on
May 12th 2022
Description
There are some api v2 doesn't check permission allow attackers to retrieve/edit information ticket,account,group,department,team,ElasticSearch
Proof of Concept
Get users list
1. Login.
2. Go to `/api/v2/accounts?type=all`.
3. Users list return.
Create user with admin role
1. Get the admin role id in `/api/v2/accounts`.
2. Send POST to `/api/v2/accounts`.
{"username":"test21233","fullname":"test21233","title":"test2","email":"test2@test31232.cv","teams":["627ce1fd9f59377095600ce9"],"role":"627ce1fd9f59377095600ce1","password":"test2test2","passwordConfirm":"test2test2"}
- Create successfully.
Note
Many api endpoint get vulnerable, i just show piece of attack vector that can happen.
Impact
The attacker takes full control of the website.
Occurrences
routes.js L15-L74
Routes without isAdmin are vulnerable
Hi, I see you have read the report. Is it hard to understand or the poc doesn't working?
Can you confirm if this was performed with an admin logged in? As in you were logged in as an admin when you returned the user list and sent the post request.
I understand changing the role id of the post created an admin, but if you were logged in as an admin this is by design.
The token/apikey sent during the post was of which user/role?
I apologize for the complicated description. Some APIV2 doesn't check permission allow. So an authenticated users can use it (with user role or just login permission).
Chain with my another report, Attacker can get inside dashboard and takes full control of the website
https://huntr.dev/bounties/64abc487-cab4-4fe3-bb43-db1ffdea3468/
Video POC
https://drive.google.com/file/d/1dkfkZ3JEhCGa2aD14i2ubn-h0wqeRwdJ/view?usp=sharing
This is valid and I have identified the issue. Please allow me some time before a fix is finished, as I want to double-check nothing else breaks as I implement these changes.
