Description

Hello there, y’all! How are you doing? Hope you are doing great!

I was testing Budibase and noticed that the api endpoint /api/global/self, which is used for different purposes (updating an user’s name or their password), always receives an entire object containing most of the attributes of a user, including this user’s roles. So by reading the code, I noticed that this “self update” process had a mass assignment, in which the only thing we cannot change is our own ID, but we can change our access level and become the admin of any tenant we belong to.

In other words, whenever an admin invites people to be app users, there’s a risk that one of these app users change their role to admin and then make the original admin a simple app user, being now capable of doing anything they would want to, including destroy all of a tenant apps or change their content to something else.

Steps to Reproduce

1 => Create a user that will be the admin of a tenant, and then invite a second email to be an app user;

2 => Now, as the invited user (possible attacker), login and click on Update user information. This modal is supposed to change only a user’s name, but if you use a proxy tool such as Burpsuite or OWASP Zap, you can intercept the request that’s being sent;

3 => With the request being intercepted, change the attributes builder, admin and accountPortalAccess that are in the JSON object, to something like this:

{
...
    "builder": {
        "global":true
    },
    "admin": {
        "global":true
    },
...
    "accountPortalAccess":true,
...
}

4 => Boom! Now, if you log out and in, you will see the same dashboard that only editors and admins can see, and you can even go to the users page and change the role of the original admin to a lower one;