RedaxScript 2.1.0 – Privilege Escalation

• Exploit Database
• 37 阅读

• 作者： shyamkumar somana
  日期： 2015-01-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35840/

• ​​​# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
  # Date: 11-05-2014
  # Exploit Author: shyamkumar somana
  # Vendor Homepage: http://redaxscript.com/
  # Version: 2.1.0
  # Tested on: Windows 8
  
  #Privilege Escalation in RedaxScript 2.1.0
  
  
   RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
  issue occurs because the application fails to properly implement access
  controls. The application also fails to perform proper sanity checks on the
  user supplied input before processing it.These two flaws led to a
  vertical privilege escalation. This can be achieved by a simply tampering
  the parameter values. An attacker can exploit this issue to gain elevated
  privileges to the application.
  
  *Steps to reproduce the instance:*
  
  · login as a non admin user
  
  · Go to account and update the account.
  
  · intercept the request and add “*groups[]=1*” to the post data and
  submit the request
  
  · Log out of the application and log in again. You can now browse
  the application with admin privileges.
  
  This vulnerability was addressed in the following commit.
  
  https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified
  
  
  *Timeline*:
  
  09-26-2014: Issue identified
  
  09-27-2014: Discussion with the vendor
  
  10-27-2014: Issue confirmed
  
  11-05-2014: Patch released.
  
  
  
  
  Author:Shyamkumar Somana
  Vendor Homepage:http://redaxscript.com/download
  Version: 2.1.0
  Tested on:Windows 7
  
  -- 
  
  [image: --]
  shyam kumar
  [image: http://]about.me/shyamkumar.somana
   <http://about.me/shyamkumar.somana?promo=email_sig>
  
  Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
  in.linkedin.com/in/sshyamkumar/ |