search

intelliants / subrion

Subrion CMS - open source php content management system.
https://subrion.org/
GNU General Public License v3.0
282 stars 119 forks source link

Add permission for impersonate functionality #877

Open luuthehienhbit opened 4 years ago

luuthehienhbit commented 4 years ago

SCOPE: Package: Subrion CMS Version: 4.2.1 ISSUE: User management policy Vulnerability Description: User has permission Moderators can perform deletion of the authorized user Administrator. This can be exploited for vandalism website by user Mod bad. Steps To Reproduce: -Creat user test add UserGroup Administrators -Creat user test1 add Usergroup Moderators -Login user test ealizable delete user admin -Login user test1 destiny mod but maybe delete test1 Reference: https://drive.google.com/open?id=14heul86tMbr-ragLCVYfbqS1Kj6kUEw4 Mitigations: Setup policy perform user authorization

4unkur commented 4 years ago

We need to add new permission for impersonate functionality (login as another user) Currently, there is no such permission.

Thanks for the report @luuthehienhbit

luuthehienhbit commented 4 years ago

But what if the user mod can delete all accounts including the admin? You can review the policy. Thanks you!!!