You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"summary": "Shopware: Admin Account Takeover via User Recovery Hash Exposure",
10
+
"details": "## Summary\n\nA low-privilege admin user with `user_recovery:read` ACL can take over any admin account. The attacker triggers password recovery for the victim (unauthenticated endpoint), reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim's password (another unauthenticated endpoint). The recovery hash — intended to be secret and delivered only via email — is fully readable through the standard entity search API.\n\n**OWASP:** A01:2021 — Broken Access Control\n\n## Root Cause\n\nThe `user_recovery` entity exposes its `hash` field through the Admin API search endpoint (`POST /api/search/user-recovery`). The `hash` field lacks `ApiAware(false)` or `ReadProtection`, so any user with `user_recovery:read` ACL can read it.\n\nThe password recovery flow assumes the hash is delivered exclusively via email. The Admin API provides an alternative channel to obtain it, breaking this assumption.\n\n**Three endpoints combine to form the attack:**\n\n1. `POST /api/_action/user/user-recovery` — triggers recovery, creates hash in DB (**no auth required**)\n2. `POST /api/search/user-recovery` — reads the hash (**requires only `user_recovery:read` ACL**)\n3. `PATCH /api/_action/user/user-recovery/password` — resets password using hash (**no auth required**)\n\n**Vulnerable code:**\n- `src/Core/System/User/Recovery/UserRecoveryDefinition.php` — `hash` field is `ApiAware` with no `ReadProtection`\n\n## Impact\n\n- **Full admin account takeover** — attacker gains the highest privilege level in the system\n- **All admin capabilities** — user/role management, system configuration, plugin management, customer data access\n- **Cascading compromise** — taken-over admin account can be used to pivot to other attacks\n- **Low barrier** — `user_recovery:read` is a seemingly harmless permission that grants devastating access\n\n## Remediation\n\nRemove the `hash` field from API responses:\n\n```php\n// src/Core/System/User/Recovery/UserRecoveryDefinition.php\n(new StringField('hash', 'hash'))\n ->addFlags(new Required(), new ApiAware(false)),\n```",
"summary": "Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts",
10
+
"details": "`UserController::upsertUser()` writes user data in `SYSTEM_SCOPE` and does not filter the `admin` field. A non-admin API user with `user:create` or `user:update` ACL permission can set `admin: true` on new or existing users, escalating to full admin access.\n\n## The Problem\n\nIn `src/Core/Framework/Api/Controller/UserController.php`, line 210-234:\n\n```php\npublic function upsertUser(?string $userId, Request $request, Context $context, ResponseFactoryInterface $factory): Response\n{\n $data = $request->request->all(); // raw request data, no field filtering\n // ...\n $events = $context->scope(Context::SYSTEM_SCOPE, fn (Context $context) =>\n $this->userRepository->upsert([$data], $context)\n );\n}\n```\n\n`SYSTEM_SCOPE` bypasses `AclWriteValidator` entirely (line 52 of `AclWriteValidator::preValidate()` returns early for `SYSTEM_SCOPE`). The `admin` boolean field is accepted without restriction.\n\nCompare with `IntegrationController::upsertIntegration()` in the same codebase, which correctly checks:\n\n```php\nif ((!$source instanceof AdminApiSource)\n || (!$source->isAdmin()\n && isset($data['admin']))\n) {\n throw new PermissionDeniedException();\n}\n```\n\n`UserController` is missing this exact check.\n\n## Impact\n\nAny API user with the low-privilege `user:create` permission can create accounts with full admin access, or with `user:update` can promote any existing user to admin. This is a direct privilege escalation.\n\n## Suggested Fix\n\nAdd the same `isAdmin()` check from `IntegrationController`:\n\n```php\n$source = $context->getSource();\nif ((!$source instanceof AdminApiSource) || (!$source->isAdmin() && isset($data['admin']))) {\n throw new PermissionDeniedException();\n}\n```\n\nBest regards,\nKeyvan Hardani",
0 commit comments