Privilege escalation in Polr

Vulnerability

Polr, an open source URL shortener, before version 2.3.0, contains a vulnerability in the finishSetup method of SetupController.php that uses a loose comparison (==) when validating the setup authentication key from the environment variable TMP_SETUP_AUTH_KEY against the value supplied in a cookie setup_arguments [2]. This allows an attacker to bypass authentication if they can craft a request with specific cookie headers to the /setup/finish endpoint [2]. The vulnerability exists regardless of user settings and does not require an existing account [2].

Exploitation

An attacker must be able to send HTTP requests to the target Polr instance and have knowledge of the setup endpoint [1][2]. The attacker crafts a request to /setup/finish with a cookie named setup_arguments containing a JSON object that includes a setup_auth_key field. Due to the loose comparison (==), if the attacker can guess or manipulate the value to match the environment variable (e.g., by exploiting PHP type juggling, such as using a numeric string or a value that equals true), the check may pass, granting admin privileges [1][2]. After the fix, a strict comparison (===) is used, and the endpoint also checks that the users table does not already exist before proceeding [1].

Impact

Successful exploitation allows the attacker to gain admin access to the Polr instance without possessing an existing account [2]. This leads to full compromise of the URL shortener, including the ability to manage users, links, and settings [2].

Mitigation

The vulnerability is fixed in Polr version 2.3.0 [1][2]. Users should upgrade to this version or apply the workaround by adding abort(404); as the very first line of the finishSetup function in SetupController.php if upgrading is not immediately possible [2]. The patch involves changing the loose comparison (==) to a strict comparison (===) and verifying that the users table does not exist before running migrations [1].