[Resolved] Promote User Role permission is a serious security vulnerability

[Author]

Posts

[danielV-5]

Hi guys !

I'm sure everybody in the amazing Toolset Access team is aware that giving the Promote User Role permission is a serious security vulnerability, because eg. a user Level 6 can promote themselves or others Level 7, 8, 9, etc, intentionally or accidentally.
As far as we can see, the issue is partially related to limitations in the Core WordPress infrastructure, and/or possible limitations in the amazing Toolset Access plugin.

The issue is such a security concern that some of our clients have instructed us
that if we can't resolve it within Toolset, we must find another solution.
We Looove Toolset, and we certainly don't want to use anything else.

We have found that the Advanced Access Manager (AAM) plugin has resolved this,
as you can read they specifically resolved this serious security vulnerability here:
hidden link

You will see in that page, that they have resolved it by ensuring: "all users and roles that have higher user level will be automatically filtered from the All Users page as well as there will be no options to promote users to the role with higher user level."

Toolset is by far the greatest plugin in the known universe,
and we certainly don't want to have to leave it because of this serious security vulnerability
with the Toolset Access Promote User permission.

My question to the awesome Toolset management is:
If the AAM plugin has resolved this security risk, are Toolset able to also ??

Sincerely,
Daniel from Australia

[Beda]

I am sorry that I do not fully understand.

Do you mean, Toolset Access did set without your knowledge any users or roles capabilities to allow promote_users?

I know that Toolset Access allows this to be set when editing a Role in advanced mode, however, it does not do this automatically.
It needs to be checked on the list of capabilities you want to add to a certain role, and that would be under the webmaster's responsibility.
promote_users(https://wordpress.org/support/article/roles-and-capabilities/#promote_users) is a native WordPress capability, and we allow to set a role with it, but we would not do this by default or without the interaction of the webmaster.

I apologise if I misunderstand the situation, and also would like to share the direct link to our Security Team https://toolset.com/report-security-vulnerability-issues/, in case you want to report a technical security hole or any other security issue in Toolset Access.

What I already see on our end which we should improve is the "No Info" description added below this important and powerful capability.
I will request to update it with a more meaningful text.

[danielV-5]

Thankyou Beda,
Yes we manually Ticked the Promote Users option.
However as we detailed below, that is a Security vulnerability, so we have turned it back Off.
We do urgently need staff to Promote Users, but not that they can Take Over the whole site.
As detailed below, we have found the AAM plugin resolves this vulnerability, however we want to use Toolset Access and Not the Aam plugin.
Can you please ask Toolset management, are Toolset able to Fix this vulnerability like Aam have, so we can stay with Toolset ?
cheers!
Daniel from Australia

[Beda]

This is a WordPress capability. If enabling it opens a vulnerability, it should be reported to WordPress.
Toolset Access does not alter it or change its behaviour, and I am sure that WordPress does not open a vulnerability when this is used.
It is - I completely agree - a big decision making someone able to promote users, however, it's exactly what the function does.
If a user cannot be trusted this role, it should not be given this role.
The role is intended to let users promote users, just as an admin, these users usually should be highly trusted cooperators on the site.

This might be addressed by other plugins so to avoid those roles to promote other (higher) user levels or degrade them, but as you know a user can not change his OWN role, so the fear that an editor can make himself admin is not related to this permission promote_users
You can always only change the roles of other users, not your own, even as an admin.

If you found a vulnerability, please report this to the right team here:
https://toolset.com/report-security-vulnerability-issues/

I do not agree that this is a vulnerability, because it is subject to the decisions made by the Webmaster, and it is not possible to auto-upgrade one's own role even if we have the promote_users capability, but only other roles.

If you want to suggest a feature that allows you to control what precise roles one can edit when he has the promote_users capability, the feature request suggestion should be made here:
https://toolset.com/home/contact-us/suggest-a-new-feature-for-toolset/

I apologise if I am not understanding properly, however, I see no vulnerability in this setting. It is a setting to decide well about, however, it's a native WordPress setting that does not compromise your website if given only to users you trust.

There are other ways to upgrade a user role if you wish this to be done by users you do not trust to, however, the question here is, if those untrusted users - having any sort of such ability on the site - is safe.

How would you imagine this to work in a safer condition?
I think it would require several more settings to tell the program, what exactly the user with such role should be able to update (for example, only roles below his role)
But this is not a vulnerability, it is a totally new feature added to the Plugin, which would require the communication to be opened here https://toolset.com/home/contact-us/suggest-a-new-feature-for-toolset/

Please feel free to use https://toolset.com/report-security-vulnerability-issues/ in case I do not understand the seriousness here well enough.

[danielV-5]

It is very simple: We have multiple customer roles, which we need our staff to manage.
A simple staff member could intentionally or accidentally Promote a Customer to be able to Edit or destroy the website !!!!!!!!!!!!!!!!!
It is all detailed in the first message in this thread.
We don't want to stop using Toolset Access and move to Aam.
We want to keep using Toolset, so can you please not ignore this,
but please please please ask toolset Management if they can resolve this like Aam have ???
thankyou

[Beda]

Yes, but this is exactly what promote_users is intended for.
To give users the right and possibility to change other users role no matter whether upwards in the ladder of capabilities or downward.

It does not allow the user to promote himself, as you outline it to be the vulnerability here:
https://toolset.com/forums/topic/promote-user-role-permission-is-a-serious-security-vulnerability/#post-1233273

If you do not want users to promote other users, do not give those users that privilege.
For your case the feature added by that plugin may sound as what you need, for another user, it's the opposite and they never would want that upon Access's activation, all users and roles that have higher user level will be automatically removed from the All Users page, so to avoid promoting users to the role with higher user level.
This is not what promote_users does.
It is a specific, very particular feature of that plugin and I can think of cases where exactly the "automated" removal of those roles from the lists will be a cause for complaint.

What we can do is:
- add this as a feature (but likely not automated, instead, a decision would have to be made when assigning this or other caps to given roles)
This should, in any case, be requested or suggested here https://toolset.com/home/contact-us/suggest-a-new-feature-for-toolset/
- we can fix security issues, but this is not a security issue, as it is doing exactly what WordPress prescribes for that cap.
It is a powerful capability, but the feature you ask for is something that needs to be added and requires considerable work both in GUI and capability logic.

I am not saying I do not see your point, but this is neither vulnerability nor something we can change as a BUG, or similar.
Unfortunately, this is a new feature that needs to be requested.
I can not file this request for you, it needs to be done in https://toolset.com/home/contact-us/suggest-a-new-feature-for-toolset/

[danielV-5]

Thankyou Beda. As this is such a Security Vulnerability, I have submitted both the Report Security Vulnerability Issue, and the Suggest A New Feature forms,
At this point we have been forced to Delete the Toolset Access plugin from 3 major websites in Australia,
and replace it with the AAM plugin, as it is the Only way to remove the security risk.
Please update us if Toolset fix this risk, so we can go back to Toolset again, and not use Aam.
thankyou,
Daniel

[Beda]

Thanks, Daniel, for submitting the request.

We can close this ticket here, as the request will be discussed, as a feature request, by the developers, and the Product Management will keep you informed thru email communication.

Note that this is not a security vulnerability, instead, it's a WordPress core feature, that you can decide to use, or not.
Our Product Management already added this request to the Toolset Access features list.
Our Developers will then check if this can be implemented in a dynamic way as an option, so users can choose what to do when using Toolset Access.

Thanks for the suggestion!

[danielV-5]

Thankyou Beda.

Great, we are looking forward to uninstalling AAM,
and reinstalling Toolset Access on our large sites,
when the feature is safe.

cheers,
Daniel

[danielV-5]

Thankyou