The Squiz Matrix content management system, popular among Australian and New Zealand universities and other sectors, has patched a serious privilege escalation bug.
Trustwave’s Spiderlabs, which discovered the vulnerability, explained that an indirect object reference (IDOR) bug allows low privileged users to change the contact details of any other user, including admins.
Changing a user email address to one controlled by the attacker allows the user’s password to be reset for a complete account takeover.
In vulnerable installations, Spiderlabs explained, the “edit contact” page allows a user to view and enumerate the GET and POST parameter named “asset_id”, which contains the targeted user’s ID.
An attacker, the post explained, can simply submit a POST request that changes both user ID and user type (to an admin, for example).
“As user account numbers are in a sequential order, an attacker could run through user account numbers and change the details of every user registered to the vulnerable Squiz Matrix instance”, the post explained.
As well as universities, searches by iTnews showed Squiz Matrix instances belonging to a number of state and local government organisations in all states of Australia.
The bug was disclosed by Trustwave to Matrix, and has been patched.