MineAdmin Improper Authorization Vulnerability in View Interface Allowing Privilege Escalation

A logic flaw vulnerability has been identified in MineAdmin versions 1.x and 2.x, specifically within the View Interface component. The issue arises in an unknown function of the file '/system/cache/view', where improper authorization allows for vertical privilege escalation. Although the view interface requires login, it does not enforce specific permission checks. This vulnerability can be exploited remotely, enabling attackers to access the Redis cache and retrieve sensitive information such as administrator tokens, user tokens, and crontab details.

Impact

Exploitation of this vulnerability allows for vertical privilege escalation, enabling an ordinary user to access sensitive administrative information through the Redis cache, including administrator tokens and user tokens.

Reproduction

To reproduce this vulnerability, an ordinary user token must be used to authenticate a request to the '/system/cache/view' interface. The absence of proper authorization checks will allow access to restricted cache data, including sensitive tokens and crontab information.

Remediation

It is recommended to strengthen permission validation on the 'view' interface to ensure proper authorization checks are in place.