Wger Workout Manager Gym Configuration Update Endpoint Permission Bypass Vulnerability

A vulnerability exists in Wger Workout Manager versions through 2.5 in the Gym Configuration Update endpoint. The issue arises because the view incorrectly inherits from WgerFormMixin, which only performs ownership checks, instead of the required WgerPermissionMixin that enforces permission checks. As a result, any authenticated user can modify global gym settings, leading to unauthorized changes in user profile gym assignments. This vulnerability allows for vertical privilege escalation by granting regular users control over installation-wide configurations.

Impact

Exploitation of this vulnerability allows low-privileged authenticated users to gain unauthorized access to global gym configuration settings, which can then be used to manipulate user profile assignments across the entire application.

Reproduction

The vulnerability can be reproduced by accessing the Gym Configuration Update endpoint as an authenticated user with low privileges. The endpoint can be reached via a POST request, which, after authentication, will redirect to a success URL. However, this redirection may result in a 'Forbidden' response, despite the successful configuration update.

Remediation

Users can upgrade to Wger version 2.5 or later, where this vulnerability has been fixed.