62 lines
No EOL
1.8 KiB
Text
62 lines
No EOL
1.8 KiB
Text
# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
|
|
# Date: 11-05-2014
|
|
# Exploit Author: shyamkumar somana
|
|
# Vendor Homepage: http://redaxscript.com/
|
|
# Version: 2.1.0
|
|
# Tested on: Windows 8
|
|
|
|
#Privilege Escalation in RedaxScript 2.1.0
|
|
|
|
|
|
RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
|
|
issue occurs because the application fails to properly implement access
|
|
controls. The application also fails to perform proper sanity checks on the
|
|
user supplied input before processing it. These two flaws led to a
|
|
vertical privilege escalation. This can be achieved by a simply tampering
|
|
the parameter values. An attacker can exploit this issue to gain elevated
|
|
privileges to the application.
|
|
|
|
*Steps to reproduce the instance:*
|
|
|
|
· login as a non admin user
|
|
|
|
· Go to account and update the account.
|
|
|
|
· intercept the request and add “*groups[]=1*” to the post data and
|
|
submit the request
|
|
|
|
· Log out of the application and log in again. You can now browse
|
|
the application with admin privileges.
|
|
|
|
This vulnerability was addressed in the following commit.
|
|
|
|
https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified
|
|
|
|
|
|
*Timeline*:
|
|
|
|
09-26-2014: Issue identified
|
|
|
|
09-27-2014: Discussion with the vendor
|
|
|
|
10-27-2014: Issue confirmed
|
|
|
|
11-05-2014: Patch released.
|
|
|
|
|
|
|
|
|
|
Author: Shyamkumar Somana
|
|
Vendor Homepage: http://redaxscript.com/download
|
|
Version: 2.1.0
|
|
Tested on: Windows 7
|
|
|
|
--
|
|
|
|
[image: --]
|
|
shyam kumar
|
|
[image: http://]about.me/shyamkumar.somana
|
|
<http://about.me/shyamkumar.somana?promo=email_sig>
|
|
|
|
Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
|
|
in.linkedin.com/in/sshyamkumar/ | |