Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI
A SimplyBook.it/SimplyBook.me management portal user with a low privileged account (such as Viewer Group read-only access) is able to send crafted JSON data in a PUT request via the REST API and reconfigure their account settings to grant themselves top level Administrative rights over the whole application, it’s users and the data belonging to all the clients of the booking system. In addition they would be able to reconfigure 3rd party payment account settings (e.g PayPal, Stripe, etc…)and hijack client payments intended for the owner of the service.
The SimplyBook.it/SimplyBook.me site management portal software allows site owners to create very limited user accounts for the purpose of granting read-only access to users or entities that require basic data access only.
This can allow untrusted partner agents or low-level employees to have read-only access to booking/appointment calendars and service status messages. They should never be able to alter any configuration data or affect any other areas of the site, services, users, clients, financial service credentials.
User session tokens must also be validated when configuration changes are being made by an authenticated user. It is not enough to just rely on them having a valid X-CSRF Token. An authenticated low-priv read-only account could represent an untrusted basic employee with bad intentions or an account that has been more easily compromised by a criminal attacker due to a user’s belief that it cannot do any harm so there is no need to protect the credentials well.
Here I will demonstrate how a Low-Priv Viewer Account attacker is able to grant themselves full Admin Privileges.
I was able to consistently reproduce and confirm the vulnerability using the following steps.
First create a restricted Viewer account with read-only access.
Log in as the just_a_viewer account. Then access the Welcome page.
Proxy the web traffic using a proxy tool such as Burp Suite and then click on the Services & Providers pane.
Notice the Access Denied message…
Next, select to Change password from the Welcome Screen and then cancel it. Then return to burp to get your
user_id for the next step.
Then alter the request to contain a
PUT /v2/rest/user/item/id/5 with JSON data structured in the following way making sure to set
If all was successful, you should see the same JSON data returned in a
HTTP 200 OK response.
And finally, we are able to refresh the browser and see that we now have full administrative privileges in the management portal and can now do anything we want.
(covers CVE-2019-11488 & CVE-2019-11489)
13-April-2019: Vendor is first sent the details of the vulnerabilities.
23-April-2019: Notified of fix and bounty award by the vendor.
As a reward for accepted vulnerabilities we will pay you 600USD, since we consider them as average seriousness:
(1) with admin access issue, the attacker, employee of same company as he would already need access, can only affect the system internally (not cross-system) and
(2) with hash issue the attacker needs to have access to user’s browser data.
Obviously both issues that should absolutely not be there, and have been fixed already, and we are thankful for you pointing them out to us.
. . .
Additionally we will give you 2 years of premium access to our system.
Best regards, Elina - Security Manager
Overall it was a positive experience communicating with the SimplyBook.me team, and I was glad to see the devs work to apply a fix within 10 days.
Thanks for reading,
Please Comment Below.
The CybrGrade UK Team