reNgine Unrestricted Project Deletion Vulnerability Allowing System Takeover

A vulnerability in reNgine, an automated reconnaissance framework for web applications, allows users with the roles of 'penetration_tester' or 'auditor' to delete all projects within the system. This unrestricted project deletion can lead to a complete system takeover by redirecting the user to the onboarding page, where they can add or modify users, including those with Sys Admin privileges, and adjust critical settings such as API keys and user preferences. The vulnerability affects all versions of reNgine prior to 2.2.0.

Impact

Exploitation of this vulnerability allows for the deletion of all projects in the system, followed by unauthorized access to the onboarding page. This access enables the reconfiguration of the system, addition of new users with elevated privileges (such as Sys Admin), and modification of essential settings. Additionally, according to the vulnerability report, this could lead to remote code execution by using the 'install tools' function in the 'Tool Arsenal'.

Reproduction

To reproduce this vulnerability, a user must have a role of 'penetration_tester' or 'auditor'. Once in this role, the user can send repeated POST requests to the '/delete/project/<id>' endpoint, effectively brute-forcing the deletion of projects. After all projects have been deleted, the user is redirected to the onboarding page, where they can add or modify users and configure critical system settings.