Description

Our product upgrade module contained a privilege escalation vulnerability that would allow an unauthorized user to upgrade to a product they were not authorized to.

After an administrator had Product 1 can upgrde as Product2 , but not Product3, a user could use Burpsuite to intercept the request and change the Product 2 ID to another product ID (Product 3), resulting in an unauthorized product upgrade.

Proof of Concept

1 An administrator configure that Product 1 can upgrade as Product2, but not Product2 .

2 The user upgrades Product 1 as Product2 and intercepts the request using Burpsuite.

POST /index.php?_url=/api/client/support/ticket_create HTTP/1.1
Host: ocalhostContent-Length: 204sec-ch-ua:“(Not(A:Brand";v="8"，“Chromium";v="98"Accept: application/json，text/javascript，*/*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-with: XMLHttpRequest
sec-ch-ua-mobile: ?0
CSRFToken=182e0a69002c8a873b9f5dbdd677e966&subject=I+would+like+to+upgrade+product1&support helpdesk id=1rel new_value=1 content-I+would+like+to+upgrade+product1&rel_type=order&rel id=19&rel task=upgrade

3 The user modifies the Product 2 ID to Product 3 ID in the intercepted request, and the upgrade is successful.

Impact

This vulnerability could potentially enable an attacker to gain access to products that they are not supposed to have access to, leading to data leakage, financial losses, and other harmful consequences.