CVE-2018-15888

Vulnerability

The addUser function in the /member/reg.asp page of ASPCMS version 2.5.6 does not properly validate or enforce the GroupID parameter during user registration. An attacker can register an ordinary user account and set the GroupID to the value corresponding to a super administrator group. This flaw exists in the registration logic, which fails to restrict the group assignment to only allowed roles for self-registration. [1]

Exploitation

An attacker only needs network access to the ASPCMS registration page. No prior authentication is required. By crafting a registration request (e.g., via an HTTP POST to /member/reg.asp) and including a GroupID parameter with the value intended for super administrators (e.g., 1), the attacker can create a new account that immediately holds super administrator privileges. No additional user interaction or special conditions are needed beyond accessing the public registration form. [1]

Impact

A successful exploit grants the attacker full super administrator privileges over the ASPCMS instance. This includes the ability to modify site content, manage other users, change configurations, and perform any action available to the highest-level administrator. The confidentiality, integrity, and availability of the application are completely compromised. [1]

Mitigation

No official patch or fixed version has been identified in the available references. The vendor (ASPCMS) has not released a statement or update addressing this issue. Administrators should consider disabling user self-registration entirely if possible, or implement a web application firewall (WAF) rule to block manipulation of the GroupID parameter during registration. If the software is no longer supported, migration to a maintained alternative is recommended. [1]