SS-2013-005: Privilege escalation with APPLY_ROLES
- Severity:
- Low (?)
- Identifier:
- SS-2013-005
- Versions Affected:
- 2.4,3.0,3.1
- Versions Fixed:
- 2.4.11,3.0.6,3.1.0
- Release Date:
- 2013-09-12
CMS users with access to the "Security" admin interface can increase their privileges to ADMIN if they currently just hold the permission "Apply roles to groups" (APPLY_ROLES). They can exploit their access either by assigning privileged permissions to a group they already belong to, or by creating a new role with more privileged permissions.
Only a small number of advanced installations should have this "sub-admin" role set up which makes them vulnerable to this issue. Note that APPLY_ROLES still allows users with access to the "Security" interface to assign themselves to non-privileged permissions such as editing CMS content or CMS settings. This is by design. It is also advised to use the built-in "Only admins can apply" flag on roles which are deemed privileged, which already prevents "sub-admins" from assigning this role to a group they belong to.
This has been fixed by additional validation on the PermissionRoleCode model.