Privilage escalation allows user with read access only to edit admin portal and take actions in octoprint/octoprint
Aug 23rd 2022
Overview of the Vulnerability
Authentication and session management controls can be bypassed in a variety of ways including, calling an internal post-authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. The authentication method for this application can be bypassed by an attacker which enables them to access a privileged user’s account and functionality, giving them access to more resources or functionality within the application. This could include viewing or editing sensitive customer data, and viewing or editing other user permissions.
The impact of privilege escalation through broken authentication controls can vary in severity depending on the degree of access to resources or functionality the malicious attacker is able to gain. An attacker with the ability to access, delete, or modify data from within the application could result in reputational damage for the business through the impact on customers’ trust. This can also result in indirect financial costs to the business through fines and regulatory bodies if sensitive data is accessed. The severity of the impact on the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.
Lower privileged user (Read-only Access user) is not allowed to Edit/Take action in plugin management section , Only Admin users (Users with privileges) are allowed to Edit/Take action on it but from the Direct Request, a Lower privileged user (Read-only Access user) can Edit the admin Environment by enabling/disabling/Cleanup plugins without privileges
As mentioned in the website : Read-only Access Group to gain read-only access Plugin Manager: List plugins (ONLY)
Proof of Concept
Send the following request using burp proxy using read-only user cookies
Note : you can change the command to (enable /disable/ cleanup) and this could be applied for all plugins (*That's why availability is High in CVSS)
Lower privileged user (Read-only Access user) can Edit the admin environment by enabling/disabling/Cleanup plugins without privileges