Headline
i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw
The application doesn’t allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with ‘viewer’ or ‘operator’ permissions has been added by the default admin user 'i3admin’, a PUT request can be issued calling the ‘UserPermission’ endpoint with the ID of created account and set it to ‘admin’ userType, successfully adding a second administrative account.
Related news
i3 International Annexxus Cameras Ax-n version 5.2.0 does not allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with viewer or operator permissions has been added by the default admin user i3admin, a PUT request can be issued calling the UserPermission endpoint with the ID of created account and set it to admin userType, successfully adding a second administrative account.