Impact
A vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings.
Description
If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts.
Patches
Upgrade to the latest commit in master or upgrade to 2.3.0.
Workarounds
Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php
For more information
If you have any questions or comments about this advisory:
securized Analyst
Impact
A vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings.
Description
If an attacker crafts a request with specific cookie headers to the
/setup/finishendpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) inSetupControllerthat is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that/setup/finishverifies that nouserstable exists before performing any migrations or provisioning any new accounts.Patches
Upgrade to the latest commit in
masteror upgrade to 2.3.0.Workarounds
Users can patch this vulnerability without upgrading by adding
abort(404)to the very first line offinishSetupinSetupController.phpFor more information
If you have any questions or comments about this advisory: