CtrlPanel Billing Software Missing Authorization on Admin Write Endpoints Allows RBAC Bypass

A broken access control vulnerability has been identified in CtrlPanel billing software for hosting providers, affecting versions through 1.1.1. The vulnerability arises because multiple admin controllers enforce permission checks on form display methods but fail to apply equivalent checks on the corresponding write methods. This oversight allows any authenticated user to bypass role-based access control (RBAC) by sending direct POST or PATCH requests to these endpoints. The vulnerability is present in several controllers, including ApplicationApiController, CouponController, PartnerController, ShopProductController, UsefulLinkController, VoucherController, ProductController, ServerController, UserController, and ActivityLogController. An authenticated attacker without admin write privileges can exploit this vulnerability to issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts, including roles, credits, passwords, and linked Pterodactyl IDs, leading to full privilege escalation. Additionally, the vulnerability allows interference with admin impersonation sessions by abusing a session restoration feature.

Impact

Exploitation of this vulnerability allows authenticated users to bypass RBAC and gain unauthorized access to admin write functionalities, leading to the creation and modification of API credentials, discount coupons, vouchers, partner relationships, shop products, user accounts, server records, and interference with admin impersonation sessions.

Reproduction

To reproduce this vulnerability, authenticate as a user without admin write permissions. Then, send a direct POST request to one of the affected admin write endpoints, such as those managed by the CouponController. Include the necessary data in the request to create a coupon, bypassing the form UI entirely. The request will be processed successfully, despite the lack of required permissions.

Remediation

The vulnerability has been fixed in CtrlPanel version 1.2.0. Users should update to this version to address the issue.