Logged in users can gain access to the management GUI and change some parameters
The application can be tricked to show the administrative GUI by a non-privileged user by manipulating the JSON reply data. Most management actions correctly check the real privileges at the server but at least the user repository configuration data can be edited. Uploading a plugin is also possible.
Steps to reproduce:
- Log in to the SCM webapp
- Trap the response to the authentication/state.json action. The response contains user clientConfig parameters.
- In the config parameters replace: "admin":false with "admin":true
- You will see the admin GUI but not the admin data
- Go to Config. You will get an error of loading the config data and cannot edit most of the fields. However, in the bottom there is the section about User repositories. You can edit and save that section.
- Similarly, you can upload a plugin. It was not tested whether a valid plugin would be inserted into the running configuration however.