Details
There is an improper access control issue which makes it possible for admins to self ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme.
PoC Details
In the private window, access the application by going to
http://localhost:3000/users/sign_in and login with credentials of a normal user. Go to
http://localhost:3000/allies and search for the admin’s email address. Now, press on “Add to allies” for the admin profile. In the normal window login as admin and accept the ally request. Now in the private window, as the normal user, go to Ally > Admin profile and then click report > add some reason and submit it. Go back to the normal window as admin, go to
http://localhost:3000/admin_dashboard and click “Ban User” over Admin User. We see that the admin account gets deactivated from the account and can’t be recovered.
Affected Environments
v5.0.0–v7.32
Prevention
Update to version v7.32.1 or later