User with only "edit" can delete post and somethimes can add post in thorsten/phpmyfaq
Reported on
Feb 15th 2023
Description
If you create a user with edit-only user rights, they should not be able to perform delete or add actions. This is really an admin error, because users with edit permissions can delete posts, and in the case of FAQs, they can also add posts.
Proof of Concept
1.Create new user with edit only permission
2.Login to admin and you will see that add/delete option still available and
Impact
user with edit-only permission, can perform delete or add actions
full poc >> https://drive.google.com/file/d/1Qo8aBrMp42Z8OS4tcLfd6AvNgDQQOi_2/view?usp=share_link
This can also be a case of user privilege escalation if someone gives an edit user permission. They can then edit themselves to a super-admin.
The "edit user" permission issue was fixed yesterday.
Great, but my submission is not limited to "edit user" only. It also involves editing FAQs, categories, and other areas where someone with only "edit" privileges should not be able to perform add or delete actions. I would really appreciate it if you could take a look at the video I provided.
Just asking, is it possible to assign a CVE for this report?. Thanks maintaners
I tried to reproduce this, but
a user with "edit FAQ" permission is not able to add or delete FAQs
a user with "edit categories" permission is not able to add or delete categories
a user with "edit FAQ" permission is not able to add or delete FAQs
I Still Can Reproduce in demo Deleting FAQs and Add FAQs
https://drive.google.com/file/d/1mTxfW5gbvqxhKPVbb8x-KzlLTiPsvG8o/view?usp=share_link
To add FAQs just use the directlink
https://roy.demo.phpmyfaq.de/admin/?action=editentry
Yes, there's a button to delete FAQs, but the FAQs don't get deleted.