Xujeff Tianti 天梯 Missing Authorization Vulnerability in User Ajax Save Endpoint

A critical missing authorization vulnerability has been identified in Xujeff Tianti 天梯 versions through 2.3. The issue resides in the UserController, specifically within the '/tianti-module-admin/user/ajax/save' file. This vulnerability allows low-privilege users to bypass client-side permission models, which are ineffective as security controls. The backend API, which should enforce user roles and permissions, blindly accepts requests from the client without proper verification. This flaw enables vertical privilege escalation, allowing low-privilege users to perform actions reserved for super administrators, such as resetting passwords, deleting users, and managing menu permissions.

Impact

Exploitation of this vulnerability allows for unauthorized actions to be performed as a super administrator, including password resets, user deletions, and menu permission management. Additionally, the vulnerability could be exploited to disrupt normal user login processes by setting user statuses to unavailable.

Reproduction

To reproduce this vulnerability, create a low-privilege user account. Then, bypass the user interface by sending direct API calls to the '/tianti-module-admin/user/role_list' endpoint. This will return a list of roles, including the super administrator role. Use the role ID from the super administrator role to craft a request to the '/tianti-module-admin/user/ajax/save' endpoint, including the ID of the low-privilege account. This request will elevate the privileges of the low-privilege user to that of a super administrator.