- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 12.11.2024
Last edited by cbay - 12.11.2024
FS#96 - ##Title: Improper Access Control in [admin.alwaysdata.com]
##Title: Improper Access Control in [admin.alwaysdata.com]
Summary:
A privilege escalation vulnerability was identified in the platform’s access control mechanism for managing specific paths related to site and SSL configurations. When a user is restricted from accessing a specific path within a site (sites path permission denied) but granted access to SSL management, they can still access a URL path intended for restricted site management at /site/xx/ssl. This bypasses intended access restrictions.
Description:
[Note that the path I mentioned to you does not appear to you when you are not given permissions to access the path (site)]
The platform enables administrators to set granular permissions, controlling what paths invited users can access or manage within a site. Two relevant permissions in this context are:
Path Management (sites): Grants access to manage certain paths related to a site.
SSL Management (ssl certificates): Grants access to manage SSL certificates.
There is a permissions inconsistency that allows users with SSL Management permissions, but without specific sites path permissions, to access the /site/xx/ssl path. This path resides within a restricted site-related path, yet contains SSL management functionalities. As a result, users can bypass restrictions on specific paths and potentially access or manipulate SSL settings.
##Link: [https://admin.alwaysdata.com/site/configuration/ssl/]
Steps to Reproduce:
1. Create a user account and assign SSL Management (ssl certificates) permissions, while explicitly denying access to the sites path.
2. Attempt to access the URL path: /site/xx/ssl.
3. Observe that access is granted to the SSL management path within the restricted sites path, despite restrictions on other paths under sites.
Expected Result:
The system should prevent access to paths under /site—including /site/xx/ssl—when specific path permissions are denied.
Actual Result:
The user can access /site/xx/ssl even though access to paths under /site is restricted, allowing them unintended access to certain SSL configurations tied to the site path.
##Proof of Concept: https://admin.alwaysdata.com/support/82440/384175-bandicam%202024-11-12%2004-13-20-975.mp4
Impact:
This vulnerability allows unauthorized users to bypass restrictions on certain paths and access SSL configurations. If exploited, this could lead to unauthorized manipulation of SSL settings, compromising the security integrity of site-related resources.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Accessing /site/configuration/ssl/ is perfectly normal when you have the "SSL certificates" permission, which is what your video shows.
Also note that the /site/XXX/ssl URL is invalid.
Kind regards,
Cyril
Hi,
I would like to clarify that I used the path /site/XXX/ssl as an example. The path I actually mean is: /site/configuration/ssl/.
If access is allowed, why was it not included in the user’s homepage for easier access? This implies that the path /site/configuration/ssl/ should only be accessible when the user is granted the necessary "sites" permission.
What can be inferred is that the /site/configuration/ssl/ path is part of site administration and should be subject to the same access restrictions applied to other site-related paths.
Thank you,
I'm not sure why (that's for the UI/UX team), but that page is clearly SSL related.