Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application.
Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users:
http://localhost/monstra-3.0.3/users/1
The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found.
Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.
Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application.
Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users: http://localhost/monstra-3.0.3/users/1
The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found.
Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.
Code Flaw:
`In file monstra\plugins\box\users\users.plugin.php
Function: getProfileEdit
Line No: 233
On editing profile user id is taken from Request::post('user_id'). An attacker can provide any user id on change password funcionality
Users::$users->update --> updates the password`
Header: