thyseus / yii-user-management

a user management module collection for the yii framework
185 stars 122 forks source link

Critical Security issue - Privilege Scalation #213

Closed iConn closed 8 years ago

thyseus commented 8 years ago

Hey iConn,

thanks for this contribution. Can you elaborate a little bit on this issue? Would merge this as soon as i understand the problem!

iConn commented 8 years ago

Of course. The problem is related to users update, registration, and so on. Any user could tamper the request to the controller, adding the "YumUser[superuser] = 1" and became Admin, so it a privilege scalation vuln. You can duplicate this by using TamperData on Firefox, or by intercepting the request with any proxy, and adding the paramenter into the POST body.

Yum must configure, and use scenarios to limitate the parameters that a user can manipulate, like "managerUserUpdate" in case of Admin update, "userUpdate" in case of regular users. The superuser parameter should be 'unsafe' in the 'userUpdate' scenario, so regular user could not scale to admin.

Scenario status should be selected by user roles or anything you want in every action inside the controller.

As far as this extension is public, anyone could notice this vulnerability and all the applications using it are vulnerable. So it is a very critical issue.

thyseus commented 8 years ago

Thanks a lot for your Contribution !

iConn commented 8 years ago

You are wellcome. Remember to merge my other commit at YumUserController 😉.