User with only "edit" can delete post and somethimes can add post in thorsten/phpmyfaq

Valid

Reported on

Feb 15th 2023


Description

If you create a user with edit-only user rights, they should not be able to perform delete or add actions. This is really an admin error, because users with edit permissions can delete posts, and in the case of FAQs, they can also add posts.

Proof of Concept

1.Create new user with edit only permission
2.Login to admin and you will see that add/delete option still available and

Impact

user with edit-only permission, can perform delete or add actions

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago
isdkrisna
7 months ago

Researcher


full poc >> https://drive.google.com/file/d/1Qo8aBrMp42Z8OS4tcLfd6AvNgDQQOi_2/view?usp=share_link

isdkrisna
7 months ago

Researcher


This can also be a case of user privilege escalation if someone gives an edit user permission. They can then edit themselves to a super-admin.

Thorsten Rinne
7 months ago

Maintainer


The "edit user" permission issue was fixed yesterday.

isdkrisna
7 months ago

Researcher


Great, but my submission is not limited to "edit user" only. It also involves editing FAQs, categories, and other areas where someone with only "edit" privileges should not be able to perform add or delete actions. I would really appreciate it if you could take a look at the video I provided.

thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago
Thorsten Rinne gave praise 7 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability 7 months ago
isdkrisna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
isdkrisna
7 months ago

Researcher


Just asking, is it possible to assign a CVE for this report?. Thanks maintaners

Thorsten Rinne
7 months ago

Maintainer


A CVE will be added automatically. :-)

Thorsten Rinne
7 months ago

Maintainer


I tried to reproduce this, but

  • a user with "edit FAQ" permission is not able to add or delete FAQs

  • a user with "edit categories" permission is not able to add or delete categories

isdkrisna
7 months ago

Researcher


a user with "edit FAQ" permission is not able to add or delete FAQs

I Still Can Reproduce in demo Deleting FAQs and Add FAQs

https://drive.google.com/file/d/1mTxfW5gbvqxhKPVbb8x-KzlLTiPsvG8o/view?usp=share_link

To add FAQs just use the directlink

https://roy.demo.phpmyfaq.de/admin/?action=editentry

isdkrisna
7 months ago

Researcher


edit categories issue still on Research

Thorsten Rinne
7 months ago

Maintainer


Yes, there's a button to delete FAQs, but the FAQs don't get deleted.

Thorsten Rinne
7 months ago

Maintainer


I can confirm the issue with the direct link.

Thorsten Rinne marked this as fixed in 3.1.12 with commit 400d9c 7 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
isdkrisna
7 months ago

Researcher


ah you rights, FAQs don't get deleted. Thanks for CVE

Thorsten Rinne published this vulnerability 6 months ago
to join this conversation