This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Multiple admin levels

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (02/27/10): Template:FEB/Template:27/Template:2010

Vulnerabilities Table of Contents


In an application with administrators that have the ability to alter login credentials of users, if there are multiple levels of administrator permissions, there needs to be a control preventing administrators with lower permission levels from altering login credentials of higher level admins.

Risk Factors

  • Likelihood of this happening relies on an attacker getting control of a lower level admin account in the first place.
  • Administrator misconduct or mistakes could be made worse if they could easily escalate their own permissions.
  • There is no point to create administrators with different levels of permissions if you don't prevent them from easily escalating their own permissions.