Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
vulnerability that editor user can change admin user's password #327
editor role user can change admin user's properties including password hash, salt and token.
let's say you have 2 users in db
editor user can use the postuser function to change his password. Attacker can use this function to change the id and other parameters. If editor changed the id to 1111 (post body)which belong to admin, then he can send another postuser request (set to 1111 in both post body and url) to overwrite admin's properties (since findone by id 1111 matches first row now) including hash, token and salt, also changed isadmin to false,
the username is dangerous as well. If the editor change the name to admin, the logoff. The logoff update by username function will copy editor user setting to overwirite admin. So there are 2 duplicate lines of editor in db now. I have concern about password part as well, but I can't find a way to use it to exploit without changing username and id.
Then maybe let's work backwards from the ideal solution instead of patching an insecure paradigm.
What would be your ideal approach to modifying user data that would prevent these exploits? These are the requirements:
Any user should be able to change their own username, full name, email and password
Admins should be able to change any field of any user
No one should be able to change the id of any user
If we just imagine one API endpoint handling all user data changes, what would that look like to you? Just pseudo code is fine