Indotalent Free-CRM Privilege Escalation Vulnerability via Client-Side Redirect Authorization Bypass

A broken access control vulnerability has been identified in Indotalent Free-CRM versions through b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This vulnerability allows low-privileged authenticated users to escalate privileges and gain full administrative access. The issue arises because the application renders sensitive administrative content before completing authorization checks, relying on client-side redirects for access control. By interrupting these redirects, an attacker can access and manipulate administrative features, effectively compromising the application's security.

Impact

Exploitation of this vulnerability leads to unauthorized access to administrative functions, allowing low-privileged users to perform privileged actions such as user management and account modifications.

Reproduction

To reproduce this vulnerability, log into the application with a low-privileged account. Once authenticated, navigate to an administrative endpoint, such as '/Users/UserList' or '/Roles/RoleList'. The application will redirect to the login page, but this redirect can be interrupted using browser developer tools. After bypassing the redirect, the administrative interface will be accessible, and privileged actions can be performed.

Remediation

It is recommended to implement server-side authorization checks for all administrative endpoints, ensuring that only users with the appropriate roles can access privileged functions. Additionally, remove reliance on client-side redirects for access control and enforce authorization validations at the controller level before rendering responses.