OneBlog icon indicating copy to clipboard operation
OneBlog copied to clipboard
verified publisher icon zhangyd-c

There is a Insecure Permissions vulnerability exists in OneBlog <= 2.2.8

Open afeng2016-s opened this issue 4 years ago • 0 comments

[Suggested description] Insecure Permissions vulnerability exists in OneBlog.Low level administrators can delete high-level administrators beyond their authority (including administrators with the highest authority).

[Vulnerability Type] Insecure Permissions

[Vendor of Product] https://github.com/zhangyd-c/OneBlog

[Affected Product Code Base] <= 2.2.8

[Affected Component] POST /user/remove HTTP/1.1 Host: localhost:8086 Content-Length: 5 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" Accept: / X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost:8086 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:8086/users Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms_token=c820882773ab4b6b9719916981b3e9b7; JSESSIONID=c45212ed-03a9-499c-810b-cf5c28e4d5b1 Connection: close

ids= 3(The IDS value is controllable. Any administrator can add, delete, modify and query the data of other administrator users by modifying the IDS value)

[Attack Type] Remote

[Vulnerability details]

first, prepare two test accounts with different levels. Senior administrator admin image-20211229164244458 Low level administrator root123 image-20211229164427567 Step 2: log in to the system with root123 and enter the user management page image-20211229165138189 Step 3: click the delete button to directly delete the administrator user admin image-20211229165336565 Delete succeeded!

In addition, you can also use burpsuite to capture packets and delete any user (including yourself) by modifying the value of ids. This is a logical vulnerability because the default secondary rule of the system is that you cannot delete yourself)

The first step is to log in to the background with root123 account and enter user management. image-20211229170717287 Step 2: after the packet capturing mode is enabled, click the delete button corresponding to user test image-20211229171345364 You can delete any user by modifying the value of IDS. Here, I modify the value of IDS to the value of the currently logged in user. image-20211229171533787 Delete succeeded!

afeng2016-s avatar Dec 29 '21 09:12 afeng2016-s