Multiple admin levels

De OWASP
Saltar a: navegación, buscar

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (02/27/10): Template:FEB/Template:27/Template:2010

Vulnerabilities Table of Contents

Description

In an application with administrators that have the ability to alter login credentials of users, if there are multiple levels of administrator permissions, there needs to be a control preventing administrators with lower permission levels from altering login credentials of higher level admins.


Risk Factors

  • Likelihood of this happening relies on an attacker getting control of a lower level admin account in the first place.
  • Administrator misconduct or mistakes could be made worse if they could easily escalate their own permissions.
  • There is no point to create administrators with different levels of permissions if you don't prevent them from easily escalating their own permissions.