Orionsec Orion-Ops Improper Authorization Vulnerability in User Profile Update Endpoint

A vulnerability exists in Orionsec Orion-Ops server component versions up to master commit 5925824997a3109651bbde07460958a7be249ed1. The issue arises in the User Profile Handler, specifically within the update function of the UserController. The vulnerability allows improper authorization by manipulating the ID argument, enabling authenticated users to update any user's profile, including administrators. This flaw can be exploited remotely and has been publicly disclosed with an available exploit.

Impact

Exploitation of this vulnerability allows any authenticated user to disable other accounts, including administrators, by changing their status to 'disabled'. This action effectively locks out the administrator from accessing their account. Additionally, the vulnerability allows for unauthorized modifications of user metadata, such as contact details, which could be used for phishing or social engineering attacks.

Reproduction

To reproduce this vulnerability, authenticate as a normal user with a developer or operator role. Then, send a POST request to the '/orion/api/user/update' endpoint, including a body that specifies the ID of an administrator account and a status value that indicates 'disabled'. The API will respond with a success message, but the administrator account will be disabled, preventing them from logging in.

Remediation

It is recommended to require administrator privileges for any account modifications other than the user's own profile. The service layer should also verify that the ID being updated matches the current user's ID for non-admin sessions. Additionally, consider separating the API into distinct endpoints for personal profile updates and administrative user management, with clear authorization checks for each.