Bug #56187 Security - CSRF allows 3rd party to escalate own role
Submitted: 23 Aug 2010 11:33 Modified: 25 Aug 2010 1:07
Reporter: Mark Leith Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Web Severity:S1 (Critical)
Version:2.2.3.1741 OS:Any
Assigned to: Josh Sled CPU Architecture:Any

[23 Aug 2010 11:33] Mark Leith 
Description:
A read-only roled user can escalate their own role with CSRF. 

How to repeat:
o Make a user "test" with a read-only role, password of "test"
o Log in with the test user, navigate to Settings->User Preferences
o View the source of the page, get the token value from:

  <input type="hidden" id="SaveUserPreferences" name="SaveUserPreferences" value="D9O9MXGL6GQMCB9PT8W0G6NITSQFYM5E" />

o Send the following request (with the correct token):

http://localhost:18080/SaveUserPreferences.action?struts.token.name=SaveUserPreferences&Sa...

Suggested fix:
Do not allow change user roles when not logged in as a manager user.
[23 Aug 2010 21:08] Enterprise Tools JIRA Robot 
Josh Sled writes: 
revno: 8134
revision-id: josh.sled@oracle.com-20100823202403-ghvf087xaldwx1z7
parent: mark-20100823185104-d0g3jux82onnamej
committer: Josh Sled <josh.sled@oracle.com>
branch nick: 2.2
timestamp: Mon 2010-08-23 16:24:03 -0400
message:
  EM-4739: remove ability to change roles on SaveUserPreferences (similar to EditUser, where we don't allow a user to change their own role)

Note this isn't a CSRF vulnerability so much as insufficient logic: we did not test the user was sufficiently privileged to change their role before applying the role change.
[8 Sep 2010 15:52] MC Brown 
A note has been added to the 2.2.3 changelog: 

        It was possible to fake the request and promote a user to a                                   
        different role without having the privileges to do so.
[18 Apr 2011 14:16] Mark Leith 
Originally reported by Myles Hosford.