Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-27958: CVE-Request/febs.md at main · afeng2016-s/CVE-Request

Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users’ personal information.

CVE
#xss#vulnerability#web#windows#apple#google#js#git#java

There is a security vulnerability exists in FEBS-Security.

[Suggested description] The user / getuserprofile method in FEBS security project lacks the verification of userid, so that any user can modify the personal information of other users through the user / updateuserprofile method. via a Google search in url:http://localhost:8080/user/updateUserProfile

[Vulnerability Type] Insecure permissions

[Vendor of Product] https://github.com/febsteam/FEBS-Security

[Affected Product Code Base] v1.0

[Affected Component] //受影响的组件 POST /web_info/save.json HTTP/1.1 Host: localhost:9105 Content-Length: 213 sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92” Accept: application/json, text/javascript, /; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost:9105 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:9105/web_info/edit.action Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=955307B507B1FD2D9AE8E69C6EABFB75; navUrl=http://localhost:9105/admin/basic.action Connection: close

name=Javaex%E8%AE%BA%E5%9D%9B&domain=http%3A%2F%2Fwww.javaex.cn%2F&email=291026192%40qq.com&recordNumber=%E8%8B%8FICP%E5%A4%8718008530%E5%8F%B7&license=1&statisticalCode= your xss payload

[Attack Type] Remote

[Proof of concept]

1.There are security vulnerabilities in the personal information modification module of this project. It is known from the source code that the function of modifying personal information is to judge the user according to the incoming userid.

@RequestMapping("user/getUserProfile")
@ResponseBody
public ResponseBo getUserProfile(Long userId) {
    try {
        MyUser user = new MyUser();
        user.setUserId(userId);
        return ResponseBo.ok(this.userService.findUserProfile(user));
    } catch (Exception e) {
        log.error("获取用户信息失败", e);
        return ResponseBo.error("获取用户信息失败,请联系网站管理员!");
    }
}

@RequestMapping("user/updateUserProfile")
@ResponseBody
public ResponseBo updateUserProfile(MyUser user) {
    try {
        this.userService.updateUserProfile(user);
        return ResponseBo.ok("更新个人信息成功!");
    } catch (Exception e) {
        log.error("更新用户信息失败", e);
        return ResponseBo.error("更新用户信息失败,请联系网站管理员!");
    }
}

2.Use burpsuite to capture packets and modify userid

image-20220215135415477

3.The userid of the currently logged in user is 171, and the modified userid is 172.Enter the modify personal information page.

image-20220215135703895

4.After modifying any content, click save. Get packet capture data.

image-20220215135841905

5.After saving successfully, exit the current login user, switch to the user with userid 172 just modified, and enter the page of viewing personal information.Vulnerability recurrence completed.

image-20220215140035912

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907