PbootCMS Improper Access Control Vulnerability in UserController.php Backend Component

A vulnerability exists in PbootCMS versions through 3.2.12, specifically within the Backend component's UserController.php file. The issue arises from a feature that allows arbitrary modification of user fields via 'field' and 'value' parameters. This lack of proper validation enables lower-privileged administrators to alter sensitive information, such as password hashes, for other admin accounts. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability could lead to unauthorized access control modifications, allowing a lower-privileged administrator to change sensitive user data, potentially leading to an administrative account takeover.

Reproduction

To reproduce this vulnerability, send a GET request to the '/admin/User/mod' endpoint with the 'ucode' parameter set to the target user's code, and the 'field' parameter set to 'password'. The 'value' parameter should contain a hash that corresponds to 'md5(md5('123456'))'.

Remediation

It is recommended to avoid accepting arbitrary field names from user input, to enforce strict allowlists of editable attributes, and to apply thorough authorization checks at both the object and field levels.