Security vulnerabilities

  • Status Closed
  • Assigned To
    nferrari
  • Private
Attached to Project: Security vulnerabilities
Opened by freetb - 15.02.2024
Last edited by nferrari - 16.02.2024

FS#33 - Privilege Escalation in admin.alwaysdata.com - Academic Feature

Description

A vulnerability has been discovered in the student management system, which allows a normal user account to bypass access controls. ANY registered low-level user, with no knowledge or involvement in a class, can globally detach any student involved just by manipulating the UID. Even without tutorship/academic privileges and regardless of tutor access control.

Impact

A malicious attacker could fuzz predictable UID values and remove multiple students, abusing the privesc as a nuisance.

Proof-of-Concept

1) First, we logged in to an actual tutor account where I've added a few students. Next, I take note of the IDs of each student involved.

2) Then, I logged out and just to validate this exploit, I would create a NEW account.

3) This is the vulnerable endpoint:

https://admin.alwaysdata.com/academic/release/<USER_ID>

I replaced the <USER_ID> param with the various IDs I recorded from the tutor account.

4) Visit these URLs on the new account and observe the results.

5) Then, log out and re-login to the tutor account. Visit https://admin.alwaysdata.com/academic/ and confirm poc validity.

Mitigation

Implement proper access controls and role-based permissions to restrict normal users from utilizing global admin/tutor privileges. Conduct a thorough review of the authentication and authorization processes to ensure that no other similar vulnerabilities exist.

POC video: https://file.io/DRmuH2Qk7wZk

Closed by  nferrari
16.02.2024 15:05
Reason for closing:  Fixed
Admin

Hi,

Thank you for your report.

I just confirmed this behavior, which should not be possible. A fix has been deployed then.

Except the fact that the student was released from his class, no security issue was involved.

Please come back to us through Support section of the administration panel with this task as a reference.

Task is closed.

Regards,

Alright. Thanks for the feedback

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing