Escalate to full administrator role

[Frycos]

Hi guys,

I wanted to report a vulnerability with respect to your role model handling. It's not a highly critical one, even though it breaks your role model of course. :-)

1. Starting with a user only being member of Role Administrators.
2. Go to Administration menu -> Role Administration.
3. Observe that not all roles are visible in this security context, especially Administrators.
4. Also observe in the Administration menu that "Role Administration, Member List, Add New User" are available only.
5. Add New Role with a name ending in ;Admins.
6. Add yourself to the new group.
7. Now you're *implicitly member of Administrator group.
8. Every administrative functionality is available now in the Administration menu.

Why?

Basically, mojoPortal.Business.WebHelpers.IsInRole() splits roles via the delimiter ";". If this delimiter is now used as above, i.e. as part of the role name, then one role is interpreted as many. Looking at the code mentioned, Administrator correlates with the String Admins (see line 19).

Mitigation Do not allow usage of the role list delimiter in the naming scheme of roles itself.

[JosephMDavis]

Good catch. We'll fix it for sure! Thanks!

[Frycos]

Awesome, glad I could help you. I'm excited seeing your patch.