iConn
commented
7 years ago Of course. The problem is related to users update, registration, and so on. Any user could tamper the request to the controller, adding the "YumUser[superuser] = 1" and became Admin, so it a privilege scalation vuln. You can duplicate this by using TamperData on Firefox, or by intercepting the request with any proxy, and adding the paramenter into the POST body.
Yum must configure, and use scenarios to limitate the parameters that a user can manipulate, like "managerUserUpdate" in case of Admin update, "userUpdate" in case of regular users. The superuser parameter should be 'unsafe' in the 'userUpdate' scenario, so regular user could not scale to admin.
Scenario status should be selected by user roles or anything you want in every action inside the controller.
As far as this extension is public, anyone could notice this vulnerability and all the applications using it are vulnerable. So it is a very critical issue.
thyseus
Hey iConn,
thanks for this contribution. Can you elaborate a little bit on this issue? Would merge this as soon as i understand the problem!