Execution with Unnecessary Privileges in polonel/trudesk
Reported on
Jun 15th 2021
💥 BUG
Unprivileged user can subscribs others to a ticket
💥 IMPACT
user with lower level permission can subscribe others to a ticket
💥 STEP TO REPRODUCE
1. First from admin goto http://localhost:8118/teams and create a team called team2.
Now goto http://localhost:8118/accounts/agents and add new user called user B with support role and assign him to above team2.\
2. Now as a external user goto http://localhost:8118/newissue and create a new ticket .
3. Now user B goto his account and here he can see above public ticket .
Here user B can subscribes to this ticket .
When user B subscribe bellow request is sent to server
PUT /api/v1/tickets/60c632a56e8507002262a20a/subscribe HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 52
Origin: http://localhost:8118
Connection: close
Referer: http://localhost:8118/tickets/1004
Cookie: PHPSESSID=n3ofevpn16pm9p45ngraltrbtk; SMFCookie600=a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A40%3A%220bf82305176bf11c423867c0f41a1f7944174f1e%22%3Bi%3A2%3Bi%3A1812778653%3Bi%3A3%3Bi%3A2%3B%7D; ElkArteCookie700=%5B1%2C%22b34b4193d3296f9b57616347174aaf58503bf2226225496e5a159745bea75aba%22%2C1812793345%2C2%5D; _csrf=X6SB4CbNToC6T0TuClv-MPqa; express.sid=s%3A5tJvaz7mQH_plOxJ0Qm39QiZ0gZ6hpQ2.J5ipJrnNm3tGCLsqbRWuvnbIJBLL9XC3vHMTg4DEHCo; $trudesk%3Atimezone=America/New_York; connect.sid=s%3Axat-1rdp_22cYmH0PhqAF-N1CIwJkH5N.lM1S4Qd55GqK2sOKOCJAJaygi%2B8zzbyiGFk8PBvNNPc; io=mj9xe1nO6XEzXPcXAAAO; $trudesk%3Asidebar%3Aexpanded=false
Account: TEST2
{"user":"60c60643fbb7540012529d1d","subscribe":true}
here in this request postdata user-B change user parameter value to userid of admin and sent the request .
Now admin will be subscribed to this ticket. user B can get admin user id from http://localhost:8118/accounts/agents .
So, using this attack admin has been subscribed to a ticket by user-B .
@maintainer This report is submitted about a year ago. I see now you checking those report. If you are unable to reproduce the bug and need more clear step then you can ask me. There is not need close the report as not applicable after a years. Not appliicable status decrease my reputation points here
@researcher I understand. Maybe @admin can help restore your rep as I had an issue with my dashboard not showing any reports and that was just fixed yesterday. Most of these reports went unseen for some time and are invalid now due to the dashboard not loading any reports.
@mainatiner Yes, I will ask admin to look for your dashboard issue. When I submiited those bug were version trudesk 1.1.5 . But now latest version is 1.2.0. But what would be those report status if those bug are fixed recently or fixed few version ago and mainatiner forgot to update here?
I'd say that if the vulnerability is no longer an issue, we can mark this report as N/A.
The dashboard issue has been addressed and I believe was only broken for a couple of days. @maintainer - if this looks like a duplicate, feel free to mark accordingly.
However, ultimately, it is up to you as the maintainer what feels correct here 👍
@mainatiner I will send update about all the report if they are still reproduceble on Friday. I traveling somewhere, so next two days it won't be possible. Is it ok for you? Sorry for inconvenience.
This has been fixed and will release with version 1.2.3 I will update this report once released.
@admin Can you update this report to show only version <=1.2.2 is affected.