CVE-2019-11018: ThinkAdmin V4.0 authority control&Information Disclosure vulnerability · Issue #173 · zoujingli/ThinkAdmin

There is a authority control&Information Disclosure vulnerability inThinkAdmin v4.0.
As admin,if you change your password,your cookie won’t become invalid. And it won’t become invalid until the end of Life Cycle.So if attackers got admin’s cookie,though traces of the attackers were found,and admin change his password,but attackers still can enter the managed-system.
POC:
1:Supposed the attacker got admin’s cookie.

2:We use Edit_this_cookie to change cookie .

3:Admin change his own password

4:We can see attackers still have access to this manage system.

I have analysised source code that result in this vulnerabilty.
The problem present to …\application\admin\controller\User.php

The original source code is:
public function pass() { if ($this->request->isGet()) { $this->assign('verify’, false); return $this->_form($this->table, ‘pass’); } $post = $this->request->post(); if ($post[‘password’] !== $post[‘repassword’]) { $this->error(‘两次输入的密码不一致！’); } $data = [‘id’ => $post[‘id’], ‘password’ => md5($post[‘password’])]; if (DataService::save($this->table, $data, ‘id’)) { $this->success('密码修改成功，下次请使用新密码登录！’, ‘’); } $this->error(‘密码修改失败，请稍候再试！’); }

And for this,I have make a padding.
public function pass() { if ($this->request->isGet()) { $this->assign('verify’, false); return $this->_form($this->table, ‘pass’); } $post = $this->request->post(); if ($post[‘password’] !== $post[‘repassword’]) { $this->error(‘两次输入的密码不一致！’); } $data = [‘id’ => $post[‘id’], ‘password’ => md5($post[‘password’])]; if (DataService::save($this->table, $data, ‘id’)) { /* $this->success('密码修改成功，下次请使用新密码登录！’, ‘’);*/ if (session(‘id’)) { LogService::write('系统管理’, ‘用户退出系统成功’); } session('id’, null); session_destroy(); $this->success('修改成功，请重新登陆！’, ‘@admin/login’); } $this->error(‘密码修改失败，请稍候再试！’); }

Author:schur [email protected]