Evergreen

Staff can edit other staff using the user buckets bypassing permission checks

Bug #2020196 reported by Steve Callender
278
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Evergreen
Confirmed
High
Unassigned

Bug Description

Tested in EG 3.9.2

Staff members that do not have permission to edit users in certain permission groups can bypass the permission blocks by adding a staff member to a bucket and doing a batch edit.

I tested with a staff account editing another account they do not have permission to edit. In the patron editor it's blocked with the message "Editing users in this group is disallowed". However, putting that user in a bucket allows me to change the individual account settings that are part of the batch edit process, such as home library, or profile that would allow me to move that user into a permission group that I CAN fully edit.

Revision history for this message
Steve Callender (stevecallender) wrote :

Update, I cannot edit the permission group this way, but I can edit the home library and everything else, but the permission group/profile still successfully blocks and requires an override.

Galen Charlton (gmc)
information type: Public → Public Security
Galen Charlton (gmc)
Changed in evergreen:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Galen Charlton (gmc) wrote :

Confirmed. Somebody with UPDATE_USER normally cannot edit a user record at all unless they have the relevant application_perm corresponding to the record's profile, but via batch patron update (assuming they have the CONTAINER_BATCH_UPDATE permission) they can get past this restriction in certain contexts:

- barred: if they have BAR_PATRON/UNBAR_PATRON
- active, juvenile, expire_date, net_access_level: all they need is UPDATE_USER
- home_ou: they need UPDATE_USER at both the old and new orgs

However, they _cannot_ change the profile unless they have the corresponding application_perm.

This doesn't appear to support a privilege escalation attack, but could support a denial of service attack against other staff users.

Terran McCanna (tmccanna)
tags: added: buckets-user permissions
Revision history for this message
Mark Massey (mtm-ccld) wrote (last edit ):

I was able to remove "staff" from this list and add "staff member" from the page below page.
change *YOUR_LIBRARY* to the correct address

https://*YOUR_LIBRARY*.missourievergreen.org/eg/staff/admin/local/permission/grp_tree_display_entry

I was then able to change the main (profile) permission group from patron to staff member while editing an account

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.