GHSA-v8x2-fjv7-8hjh

Описание

Summary

Due to a broken access control vulnerability in the /admin/pages/{page_name} endpoint, an editor ( user with full permissions to pages ) can change the functionality of a form after submission.

Details

Due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities.

PoC

• Have Admin and Form plugins installed

• Connect to panel as admin, create user and give him permission for pages all

• Now connect as that user and notice you cant edit any process field in the panel

• Change anything in the content of the form and save

• Intercept the request:

• Now modify the field `data[_json][header][form] with the following payload URL-encoded not like this:

• Change the field and forward it:

Request goes through and changes have been made to the form.

Impact

• Attacker can modify submission logic of the form which leads to changing redirect value, email sending, changing template, breaking out of the Twig sandbox potentially executing code...

Fix recommendation

• Implement proper authorization checks to such requests especially when it contains fields user shouldn't be able to modify based on his role.