Headline
CVE-2020-20502: Denial of service attack caused by CSRF(CSRF造成的拒绝服务攻击) · Issue #27 · yzmcms/yzmcms
Cross Site Request Forgery found in yzCMS v.2.0 allows a remote attacker to execute arbitrary code via the token check function.
Hello, I found a vulnerability in your application. I call it a denial of service attack caused by CSRF. The point of vulnerability is the URL rule configuration. When I use CSRF to configure an illegal rule for administrators, the access routing of the whole station will be changed. That is to say, it is totally inaccessible and the site is in 404 status. (Its priority is higher than the original admin/et al route).
Attacks are shown as follows:
No token check is used at the setup route.
the poc is:
When the POC is executed, all routes of the site http://host/aaaaaa are directed to http://host/hack_by_laker
And we can define multiple routes in a link, so that all routes are customized and the whole station will crash so that it cannot be accessed.
In Chinese:
您好,我在您的应用程序上发现了一个漏洞,我称它为CSRF造成的拒绝服务攻击。漏洞的产生点在URL规则配置,当我利用CSRF让管理员配置一个不合法的规则,整个站的访问路由都将被改变。也就是完全无法访问,站点全部呈现404状态。(其优先级高于原本的admin/等路由)。
攻击展示如下:
the poc is:
在设置路由处未使用token校验,
并且我们可以在一个链接中定义多个路由,这样,所有的路由全部被自定义,整站将崩溃以致于无法访问: