- Status Closed
-
Assigned To
cbay - Private
Opened by waloodi_109 - 27.10.2024
Last edited by cbay - 28.10.2024
FS#90 - User can add administrator email in their profile setting to gain access to admin email
Improper access control on adding (admin@alwaysdata.com) email in profile setting to take this email.
Hello Sir,
I hope your are doing well. I found a flow in https://admin.alwaysdata.com/ to add banned email to their profile setting to takeover the email.
Steps:
1. Go to https://www.alwaysdata.com/en/register/ 2. Input admin@alwaysdata.com in email and then input password whatever you want.
3. Click Create Profile then its show's (Email address : This email has been banned).
4. Create a Profile with your own email something@mail.com. 5. Then go to https://admin.alwaysdata.com/admin/details/ and then input email which is admin@alwaysdata.com. 6. Then input your old password and click submit you can takeover this email which is banned for making profile.
Impact
An attacker can add this email to their account make some stuff for your business loss.
Thank You,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Some emails are banned to simply annoy abusers, that's it. It's trivial to circumvent, we know it, and it's not a vulnerability to manage to sign up.
Kind regards,
Cyril
I know its should be banned for signuping, but you will also know that attacker can add this email in their profile setting to takeover this email for abusing or so on.