Broken session control leads to access the admin panel even after revoking the access!! — #ZOHO
Every IT Guy Know about the Zoho people plus, it is mostly used by the employees in the companies. Recently i found a vulnerability in Zoho people plus, the interesting thing is even after revoking the admin access, a user can still able to make changes on the Zoho people plus as a admin. All these changes are getting effected.
Let’s assume a scenario that the HR team by mistakenly or purposely giving admin access or any other role to the specific person in an organization. After sometime the HR team is revoking the access to that particular person, then also the user can able to access the admin features. They can change anything they want inside the admin panel and can perform all action that an admin can. The reason behind this issue is, After revoking access, here it is not checking whether the user is properly authorized for doing such action or not and the assigned token is not expiring after revoking the access.
Final POC Video:
Fix Status : Fixed
Reward: After panel meet… :)
So see y’all in a new write-up soon guys !!
Thanks for reading !!
Make sure to follow me on Twitter ;)