Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 27.10.2024
Last edited by cbay - 28.10.2024

FS#90 - User can add administrator email in their profile setting to gain access to admin email

Improper access control on adding (admin@alwaysdata.com) email in profile setting to take this email.

Hello Sir,

I hope your are doing well. I found a flow in https://admin.alwaysdata.com/ to add banned email to their profile setting to takeover the email.

Steps:

1. Go to https://www.alwaysdata.com/en/register/ 2. Input admin@alwaysdata.com in email and then input password whatever you want.
3. Click Create Profile then its show's (Email address : This email has been banned).
4. Create a Profile with your own email something@mail.com. 5. Then go to https://admin.alwaysdata.com/admin/details/ and then input email which is admin@alwaysdata.com. 6. Then input your old password and click submit you can takeover this email which is banned for making profile.

Impact
An attacker can add this email to their account make some stuff for your business loss.

Thank You,

Waleed Anwar

Closed by  cbay
28.10.2024 08:52
Reason for closing:  Invalid
Admin
cbay commented on 28.10.2024 08:36

Hello,

Some emails are banned to simply annoy abusers, that's it. It's trivial to circumvent, we know it, and it's not a vulnerability to manage to sign up.

Kind regards,
Cyril

I know its should be banned for signuping, but you will also know that attacker can add this email in their profile setting to takeover this email for abusing or so on.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing