62 lines
No EOL
1.8 KiB
Text
62 lines
No EOL
1.8 KiB
Text
# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
|
||
# Date: 11-05-2014
|
||
# Exploit Author: shyamkumar somana
|
||
# Vendor Homepage: http://redaxscript.com/
|
||
# Version: 2.1.0
|
||
# Tested on: Windows 8
|
||
|
||
#Privilege Escalation in RedaxScript 2.1.0
|
||
|
||
|
||
RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
|
||
issue occurs because the application fails to properly implement access
|
||
controls. The application also fails to perform proper sanity checks on the
|
||
user supplied input before processing it. These two flaws led to a
|
||
vertical privilege escalation. This can be achieved by a simply tampering
|
||
the parameter values. An attacker can exploit this issue to gain elevated
|
||
privileges to the application.
|
||
|
||
*Steps to reproduce the instance:*
|
||
|
||
· login as a non admin user
|
||
|
||
· Go to account and update the account.
|
||
|
||
· intercept the request and add “*groups[]=1*” to the post data and
|
||
submit the request
|
||
|
||
· Log out of the application and log in again. You can now browse
|
||
the application with admin privileges.
|
||
|
||
This vulnerability was addressed in the following commit.
|
||
|
||
https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified
|
||
|
||
|
||
*Timeline*:
|
||
|
||
09-26-2014: Issue identified
|
||
|
||
09-27-2014: Discussion with the vendor
|
||
|
||
10-27-2014: Issue confirmed
|
||
|
||
11-05-2014: Patch released.
|
||
|
||
|
||
|
||
|
||
Author: Shyamkumar Somana
|
||
Vendor Homepage: http://redaxscript.com/download
|
||
Version: 2.1.0
|
||
Tested on: Windows 7
|
||
|
||
--
|
||
|
||
[image: --]
|
||
shyam kumar
|
||
[image: http://]about.me/shyamkumar.somana
|
||
<http://about.me/shyamkumar.somana?promo=email_sig>
|
||
|
||
Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
|
||
in.linkedin.com/in/sshyamkumar/ | |