Xinhu RockOA Privilege Escalation Vulnerability in publicsaveAjax Function

A vulnerability exists in Xinhu RockOA versions through 2.6.9, specifically in the publicsaveAjax method of index.php. This vulnerability allows low-privileged users to bypass authorization and arbitrarily modify database records. The issue arises because the function lacks proper authorization checks, relying solely on user input. As a result, unauthorized users can exploit this flaw to manipulate data, including that of other users.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the database, including the creation or modification of records. It also allows low-privileged users to access functionalities reserved for administrators, and to alter data associated with other users.

Reproduction

To reproduce this vulnerability, a logged-in user must send a crafted POST request to the publicsaveAjax method. The request should include specific parameters that exploit the lack of authorization checks, such as the tablename_postabc, submitfields_postabc, and otherfields parameters. This can be done using tools like Postman or through a simple script that automates the process.

Remediation

It is recommended to implement proper authorization checks in the publicsaveAjax method, ensuring that users can only perform actions they are explicitly allowed to. Additionally, the session cookie should be used to verify user identity before processing any database modifications.