User with only "edit" can delete post and somethimes can add post in thorsten/phpmyfaq

Valid

Reported on

Feb 15th 2023

Description

If you create a user with edit-only user rights, they should not be able to perform delete or add actions. This is really an admin error, because users with edit permissions can delete posts, and in the case of FAQs, they can also add posts.

Proof of Concept

1.Create new user with edit only permission
2.Login to admin and you will see that add/delete option still available and

Impact

user with edit-only permission, can perform delete or add actions

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago

isdkrisna

commented 7 months ago

Researcher

full poc >> https://drive.google.com/file/d/1Qo8aBrMp42Z8OS4tcLfd6AvNgDQQOi_2/view?usp=share_link

isdkrisna

commented 7 months ago

Researcher

This can also be a case of user privilege escalation if someone gives an edit user permission. They can then edit themselves to a super-admin.

Thorsten Rinne

commented 7 months ago

Maintainer

The "edit user" permission issue was fixed yesterday.

isdkrisna

commented 7 months ago

Researcher

Great, but my submission is not limited to "edit user" only. It also involves editing FAQs, categories, and other areas where someone with only "edit" privileges should not be able to perform add or delete actions. I would really appreciate it if you could take a look at the video I provided.

A thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago

Thorsten Rinne gave praise 7 months ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Thorsten Rinne validated this vulnerability 7 months ago

isdkrisna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

isdkrisna

commented 7 months ago

Researcher

Just asking, is it possible to assign a CVE for this report?. Thanks maintaners

Thorsten Rinne

commented 7 months ago

Maintainer

A CVE will be added automatically. :-)

Thorsten Rinne

commented 7 months ago

Maintainer

I tried to reproduce this, but

a user with "edit FAQ" permission is not able to add or delete FAQs
a user with "edit categories" permission is not able to add or delete categories

isdkrisna

commented 7 months ago

Researcher

a user with "edit FAQ" permission is not able to add or delete FAQs

I Still Can Reproduce in demo Deleting FAQs and Add FAQs

https://drive.google.com/file/d/1mTxfW5gbvqxhKPVbb8x-KzlLTiPsvG8o/view?usp=share_link

To add FAQs just use the directlink

https://roy.demo.phpmyfaq.de/admin/?action=editentry

isdkrisna

commented 7 months ago

Researcher

edit categories issue still on Research

Thorsten Rinne

commented 7 months ago

Maintainer

Yes, there's a button to delete FAQs, but the FAQs don't get deleted.

Thorsten Rinne

commented 7 months ago

Maintainer

I can confirm the issue with the direct link.

Thorsten Rinne marked this as fixed in 3.1.12 with commit 400d9c 7 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 31st 2023

isdkrisna

commented 7 months ago

Researcher

ah you rights, FAQs don't get deleted. Thanks for CVE

Thorsten Rinne published this vulnerability 6 months ago

to join this conversation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago

isdkrisna

commented 7 months ago

Researcher

full poc >> https://drive.google.com/file/d/1Qo8aBrMp42Z8OS4tcLfd6AvNgDQQOi_2/view?usp=share_link

isdkrisna

commented 7 months ago

Researcher

This can also be a case of user privilege escalation if someone gives an edit user permission. They can then edit themselves to a super-admin.

Thorsten Rinne

commented 7 months ago

Maintainer

The "edit user" permission issue was fixed yesterday.

isdkrisna

commented 7 months ago

Researcher

A thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago

Thorsten Rinne gave praise 7 months ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Thorsten Rinne validated this vulnerability 7 months ago

isdkrisna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

isdkrisna

commented 7 months ago

Researcher

Just asking, is it possible to assign a CVE for this report?. Thanks maintaners

Thorsten Rinne

commented 7 months ago

Maintainer

A CVE will be added automatically. :-)

Thorsten Rinne

commented 7 months ago

Maintainer

I tried to reproduce this, but

a user with "edit FAQ" permission is not able to add or delete FAQs
a user with "edit categories" permission is not able to add or delete categories

isdkrisna

commented 7 months ago

Researcher

a user with "edit FAQ" permission is not able to add or delete FAQs

I Still Can Reproduce in demo Deleting FAQs and Add FAQs

https://drive.google.com/file/d/1mTxfW5gbvqxhKPVbb8x-KzlLTiPsvG8o/view?usp=share_link

To add FAQs just use the directlink

https://roy.demo.phpmyfaq.de/admin/?action=editentry

isdkrisna

commented 7 months ago

Researcher

edit categories issue still on Research

Thorsten Rinne

commented 7 months ago

Maintainer

Yes, there's a button to delete FAQs, but the FAQs don't get deleted.

Thorsten Rinne

commented 7 months ago

Maintainer

I can confirm the issue with the direct link.

Thorsten Rinne marked this as fixed in 3.1.12 with commit 400d9c 7 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 31st 2023

isdkrisna

commented 7 months ago

Researcher

ah you rights, FAQs don't get deleted. Thanks for CVE

Thorsten Rinne published this vulnerability 6 months ago

to join this conversation