
Exponent CMS → 2.3.5: Administrators may be able to edit super-administrator profiles
Reported by Sachin Wagh | December 25th, 2015 @ 08:14 PM | in 2.3.7 (closed)
Information
Vulnerability Type : Exponent CMS → 2.3.5: Parameter
Tampering Information Disclosure
Vulnerable Version : 2.3.5
CVE-ID :
Severity: Medium
Author – Sachin Wagh (@tiger_tigerboy)
Description
Exponent CMS is prone to a Parameter Tampering Information Disclosure because it fails to sanitize user-supplied input.By changing the value it is possible to see any user information such as superadmin and it is also possible to guess how many user are exist.
Credits & Authors
Sachin Wagh (@tiger_tigerboy)
Comments and changes to this ticket
-
-
dleffler December 26th, 2015 @ 06:06 AM
- Tag set to security
- Assigned user changed from expNinja to dleffler
This issue may have been resolved with the fix to #1320 CVE-2015-8667 which was included in the v2.3.6 release today. Additional testing will need to be performed on v2.3.6 to see if this issue still exists.
-
dleffler December 26th, 2015 @ 04:48 PM
- Title changed from Exponent CMS → 2.3.5: Parameter Tampering Information Disclosure to Exponent CMS → 2.3.5: Administrators may be able to edit super-administrator profiles
It appears this is not a major security issue since the user must already be an acting admin (not a super admin)...HOWEVER it is not expected behavior. E.g., anyone granted status as an 'admin' should be trusted to NOT tamper with their own system???
This will be fixed in the next release. We are 'sanitizing' the input, just not preventing admins from editing super-admin accounts if they happen to get there by url.
-
Sachin Wagh December 26th, 2015 @ 05:06 PM
Hi dleffer,
Even if the user admin or superadmin can see the information vice versa by tampering parameter.
Thanks.
-
dleffler December 26th, 2015 @ 05:53 PM
Yes, because we only check to see the user bringing up the user record to edit is a logged on admin. The fix will be to block super-admin records from admin users and give the same error as if any other non-admin user attempts the trick above.
-
expNinja December 26th, 2015 @ 05:56 PM
- State changed from new to resolved
(from [1d8f6e4eec369da5d2d05928cfa75ac8dbedc3c8]) Fixes security issue where an admin user could possibly edit a super-admin user [#1322 state:resolved] https://github.com/exponentcms/exponent-cms/commit/1d8f6e4eec369da5...
-
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Bug Tracker for Exponent CMS