CVE-2024-24573
📋 TL;DR
This vulnerability in facileManager allows non-admin users to escalate their privileges to super user/admin level by manipulating profile update requests. It affects all users of facileManager versions 4.5.0 and earlier who have non-admin accounts. The flaw exists in the profile update endpoint where permission validation is insufficient.
💻 Affected Systems
- facileManager
📦 What is this software?
Facilemanager by Facilemanager
⚠️ Risk & Real-World Impact
Worst Case
Non-admin users gain full administrative control over the facileManager system, allowing them to modify configurations, access sensitive data, create/delete accounts, and potentially compromise the underlying server.
Likely Case
Malicious or compromised non-admin accounts escalate to admin privileges, enabling unauthorized access to administrative functions and sensitive information within the application.
If Mitigated
With proper access controls and monitoring, impact is limited to potential unauthorized privilege changes that can be detected and rolled back before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated non-admin access. The vulnerability is straightforward to exploit by modifying POST requests to the profile update endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.1 and later
Vendor Advisory: https://github.com/WillyXJ/facileManager/security/advisories/GHSA-w67q-pp62-j4pf
Restart Required: No
Instructions:
1. Backup your facileManager installation and database. 2. Download and install facileManager version 4.5.1 or later from the official repository. 3. Replace all files with the new version. 4. Verify the fix by checking that non-admin users cannot modify their permission levels.
🔧 Temporary Workarounds
Temporary Access Restriction
linuxRestrict access to the vulnerable endpoint for non-admin users
# Add to web server configuration (Apache example)
<Location "/server/fm-modules/facileManager/ajax/processPost.php">
Require admin
</Location>
🧯 If You Can't Patch
- Disable all non-admin accounts until patching is possible
- Implement strict network segmentation to isolate facileManager from critical systems
🔍 How to Verify
Check if Vulnerable:
Check if your facileManager version is 4.5.0 or earlier. Test with a non-admin account attempting to modify permission parameters in profile update requests.Check Version:
Check the version in the facileManager admin interface or examine the application files for version information.Verify Fix Applied:
After updating, verify that non-admin users cannot change their permission levels through profile updates. Test the same exploit attempt that previously worked.📡 Detection & Monitoring
Log Indicators:
- Unusual permission changes in user logs
- Non-admin users accessing admin functions
- POST requests to processPost.php with permission parameter modifications
Network Indicators:
- HTTP POST requests to /server/fm-modules/facileManager/ajax/processPost.php containing permission-related parameters from non-admin IPs
SIEM Query:
source="facileManager" AND (event="permission_change" OR url_path="/server/fm-modules/facileManager/ajax/processPost.php") AND user_role!="admin"🔗 References
- https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877
- https://github.com/WillyXJ/facileManager/security/advisories/GHSA-w67q-pp62-j4pf
- https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877
- https://github.com/WillyXJ/facileManager/security/advisories/GHSA-w67q-pp62-j4pf
