Broken session control leads to access the admin panel even after revoking the access!! — #ZOHO

Hey Guy’s

Every IT Guy Know about the Zoho people plus, it is mostly used by the employees in the companies. Recently i found a vulnerability in Zoho people plus, the interesting thing is even after revoking the admin access, a user can still able to make changes on the Zoho people plus as a admin. All these changes are getting effected.

For example:

Let’s assume a scenario that the HR team by mistakenly or purposely giving admin access or any other role to the specific person in an organization. After sometime the HR team is revoking the access to that particular person, then also the user can able to access the admin features. They can change anything they want inside the admin panel and can perform all action that an admin can. The reason behind this issue is, After revoking access, here it is not checking whether the user is properly authorized for doing such action or not and the assigned token is not expiring after revoking the access.

Final POC Video:

Fix Status : Fixed

Reward: After panel meet… :)

So see y’all in a new write-up soon guys !!

Thanks for reading !!

Make sure to follow me on Twitter ;)

@Naveen

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Naveenroy

Naveenroy

Red teamer, Security Researcher