Smanga Authentication Bypass Vulnerability Allowing Arbitrary Password Reset

A critical authentication bypass vulnerability has been identified in Smanga version 3.2.7. This vulnerability allows an unauthenticated attacker to reset the password of any user, including administrators, and take over the account by manipulating POST parameters. The issue arises from insecure permission validation in 'check-power.php', which improperly trusts user-supplied input without verifying session authenticity.

Impact

Exploitation of this vulnerability leads to unauthorized account takeover, granting access to all sensitive user data, configuration files, and managed media content. Additionally, with administrative access, there is potential for further exploitation, such as modifying system configurations or executing arbitrary code through file management features.

Reproduction

To reproduce this vulnerability, send a POST request to '/app/php/account/update.php' with the 'userId' parameter set to '1' (the Administrator ID) to bypass the authentication check. Include 'targetUserId' set to '1' to modify the Administrator account, along with a new password. The request can be sent using tools like Burp Suite, Postman, or 'curl', without the need for a valid session or login credentials.

Remediation

The application should be updated to validate user identity against a secure server-side session, rather than trusting client-side input for authorization checks. Recommended changes include modifying the 'check-user-power' function to retrieve the 'userId' from the active session and reject unauthenticated requests.