#1322 Exponent CMS → 2.3.5: Administrators may be able to edit super-administrator profiles - Exponent CMS

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#1322 ✓resolved

Exponent CMS → 2.3.5: Administrators may be able to edit super-administrator profiles

Reported by Sachin Wagh | December 25th, 2015 @ 08:14 PM | in 2.3.7 (closed)

Information

Vulnerability Type : Exponent CMS → 2.3.5: Parameter Tampering Information Disclosure
Vulnerable Version : 2.3.5
CVE-ID :
Severity: Medium
Author – Sachin Wagh (@tiger_tigerboy)

Description

Exponent CMS is prone to a Parameter Tampering Information Disclosure because it fails to sanitize user-supplied input.By changing the value it is possible to see any user information such as superadmin and it is also possible to guess how many user are exist.

Credits & Authors
Sachin Wagh (@tiger_tigerboy)

ExponentCMS_Parameter_Tampering_Information_Disclosure.avi 5.8 MB

Comments and changes to this ticket

dleffler December 26th, 2015 @ 05:59 AM
- Milestone set to “2.3.7”
[bulk edit]
dleffler December 26th, 2015 @ 06:06 AM
- Tag set to “security”
- Assigned user changed from “expNinja” to “dleffler”
This issue may have been resolved with the fix to #1320 CVE-2015-8667 which was included in the v2.3.6 release today. Additional testing will need to be performed on v2.3.6 to see if this issue still exists.
dleffler December 26th, 2015 @ 04:48 PM
- Title changed from “Exponent CMS → 2.3.5: Parameter Tampering Information Disclosure” to “Exponent CMS → 2.3.5: Administrators may be able to edit super-administrator profiles”
It appears this is not a major security issue since the user must already be an acting admin (not a super admin)...HOWEVER it is not expected behavior. E.g., anyone granted status as an 'admin' should be trusted to NOT tamper with their own system???

This will be fixed in the next release. We are 'sanitizing' the input, just not preventing admins from editing super-admin accounts if they happen to get there by url.
You flagged this item as spam.
Sachin Wagh December 26th, 2015 @ 05:06 PM
Hi dleffer,

Even if the user admin or superadmin can see the information vice versa by tampering parameter.

Thanks.
dleffler December 26th, 2015 @ 05:53 PM
Yes, because we only check to see the user bringing up the user record to edit is a logged on admin. The fix will be to block super-admin records from admin users and give the same error as if any other non-admin user attempts the trick above.
expNinja December 26th, 2015 @ 05:56 PM
- State changed from “new” to “resolved”
(from [1d8f6e4eec369da5d2d05928cfa75ac8dbedc3c8]) Fixes security issue where an admin user could possibly edit a super-admin user [#1322 state:resolved] https://github.com/exponentcms/exponent-cms/commit/1d8f6e4eec369da5...
You flagged this item as spam.
Sachin Wagh December 26th, 2015 @ 05:56 PM
Ok dleffer.

Thanks.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Bug Tracker for Exponent CMS

Shared Ticket Bins (Sort)

↓↑ drag 337 Open tickets
↓↑ drag 775 Resolved tickets
↓↑ drag 0 This week's tickets

People watching this ticket

Attachments

ExponentCMS_Parameter_Tampe... 5.8 MB

Exponentcms Exponent CMS → 2.3.7