Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2013-005: Privilege escalation with APPLY_ROLES

CMS users with access to the "Security" admin interface can increase their privileges to ADMIN if they currently just hold the permission "Apply roles to groups" (APPLY_ROLES). They can exploit their access either by assigning privileged permissions to a group they already belong to, or by creating a new role with more privileged permissions.

Only a small number of advanced installations should have this "sub-admin" role set up which makes them vulnerable to this issue. Note that APPLY_ROLES still allows users with access to the "Security" interface to assign themselves to non-privileged permissions such as editing CMS content or CMS settings. This is by design. It is also advised to use the built-in "Only admins can apply" flag on roles which are deemed privileged, which already prevents "sub-admins" from assigning this role to a group they belong to. 

This has been fixed by additional validation on the PermissionRoleCode model.

Severity:
Low (?)
Identifier:
SS-2013-005
Versions Affected:
2.4,3.0,3.1
Versions Fixed:
2.4.11,3.0.6,3.1.0
Release Date:
2013-09-12

CMS users with access to the "Security" admin interface can increase their privileges to ADMIN if they currently just hold the permission "Apply roles to groups" (APPLY_ROLES). They can exploit their access either by assigning privileged permissions to a group they already belong to, or by creating a new role with more privileged permissions.

Only a small number of advanced installations should have this "sub-admin" role set up which makes them vulnerable to this issue. Note that APPLY_ROLES still allows users with access to the "Security" interface to assign themselves to non-privileged permissions such as editing CMS content or CMS settings. This is by design. It is also advised to use the built-in "Only admins can apply" flag on roles which are deemed privileged, which already prevents "sub-admins" from assigning this role to a group they belong to. 

This has been fixed by additional validation on the PermissionRoleCode model.