Privilege Escalation via Account Takeover on NodeBB Forum Software — Bug Bounty (512$) — CVE-2020–15149

Muhammed Eren Uygun
InfoSec Write-ups
Published in
3 min readSep 19, 2020

--

Hello Guys !

I hope you all doing well. ✌️

About a month ago, I told you that I found an Account Takeover vulnerability in a web application as in the screenshot below. With the new patch coming to the web application with the vulnerability, I can now share with you how I found the vulnerability.

This is my first bug bounty write-up so im writing P1 qualified vulnerability.,

Lets talk about it.

bug bounty reward mail

When I made the tests for NodeBB forum software, I found that the password of the every user account can be changed.

Now I will tell you the steps to exploit this vulnerability.

  1. First of all, to determine the “admin” user’s uid :

https://try.nodebb.org/uid/*

I tried numbers on the place marked with an asterisk(*) and I find that the uid value of the admin account is 1.

https://try.nodebb.org/uid/1 -> https://try.nodebb.org/user/admin

taking admin account

2- I created a user whose name is “testuser1” for myself.

created account

3- I went to the password change page from my user profile and i entered our current password in the first box.Then I wrote in the second and third boxes that the passwords which we want to change.

password change

4- Then, before press the submit button, I opened the Burp Suite, which has a proxy options and I replaced the uid value on the request with 1, which is the uid value of the admin user, and I sent the request.

websocket

5- I wrote “admin” in the user name box and the password i wrote in step 5 in the password box.

admin password change

6- Thus, I obtained the account of the “admin” user.

admin account

Thus, thanks to this vulnerability I found in NodeBB company, I won a prize of 512 Dollars. 🏆🏆🏆

You can click the link below to view the NodeBB Forum Software’s Hall of Fame list.

https://blog.nodebb.org/bounty/

Below is the link to the github page, which contains information that the vulnerability has been closed.

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7

I hope you guys learn something from it and if so give a high five. ✋

Thank you for reading my article. You can reach me at the links below.

Healthy days ! 😷

https://twitter.com/erenuyguun

https://www.linkedin.com/in/3ren-uygun/

--

--