assigning cve request dreamercms#1 toUpdatePwd any user account password

product：dreamercms

url: https://github.com/iteachyou-wjn/dreamer_cms

star: 1k

 

Vulnerability Submission Report

• Product: dreamer_cms

• URL: http://localhost:8080/admin/user/updatePwd

• Title: BFLA vulnerability allows password change of any user

• Proof of Concept (PoC):

  1. An attacker logs into the application with a low-privileged user account (e.g., attacker).

  2. The attacker obtains the user ID and the current password of a victim user (e.g., admin). This could be achieved through weak password guessing, social engineering, or another vulnerability.

  3. The attacker sends a POST request to the /admin/user/updatePwd endpoint with a JSON payload containing the victim's ID, the victim's current password, and a new password chosen by the attacker.

     POST /admin/user/updatePwd HTTP/1.1
     Host: localhost:8080
     Content-Type: application/json
     Cookie: [attacker's session cookie]
     
     {
       "id": "[victim_admin_user_id]",
       "oldPwd": "[victim_admin_current_password]",
       "newPwd": "[new_password_for_admin]"
     }
     
     

  4. The application verifies the oldPwd against the victim's account (victim_admin_user_id) but fails to check if the logged-in user (attacker) is authorized to perform this action on another user's account.

  5. The server processes the request successfully and changes the admin user's password. The attacker can now log in as the admin user with the new password.

• Effect: This vulnerability allows any authenticated user to change the password of any other user in the system, provided they know the target user's current password. An attacker can leverage this to escalate their privileges by taking over an administrator's account, leading to a full system compromise. This allows the attacker to access, modify, or delete any data, and perform all administrative functions.

• Finder: aibot88 @secsys from Fudan university

漏洞申请报告

• 产品: dreamer_cms

• URL: http://localhost:8080/admin/user/updatePwd

• 标题: BFLA漏洞允许修改任意用户的密码

• 漏洞验证过程 (PoC):

  1. 攻击者使用一个低权限用户（例如 attacker）登录应用程序。

  2. 攻击者通过弱口令猜测、社会工程学或其他漏洞获取到另一个用户（例如 admin）的用户ID和当前密码。

  3. 攻击者向 /admin/user/updatePwd 端点发送一个POST请求，其JSON负载中包含受害者的ID、受害者的当前密码以及攻击者选择的新密码。

     POST /admin/user/updatePwd HTTP/1.1
     主机: localhost:8080
     Content-Type: application/json
     Cookie: [attacker的会话cookie]
     
     {
       "id": "[受害管理员的用户ID]",
       "oldPwd": "[受害管理员的当前密码]",
       "newPwd": "[为管理员设置的新密码]"
     }
     
     

  4. 应用程序会验证 oldPwd 是否与受害者账户（victim_admin_user_id）匹配，但未能检查当前登录的用户（attacker）是否有权对另一个用户的账户执行此操作。

  5. 服务器成功处理该请求，并更改了 admin 用户的密码。攻击者现在可以使用新密码以 admin 用户身份登录。

• 影响: 此漏洞允许任何经过身份验证的用户更改系统中任何其他用户的密码，前提是他们知道目标用户的当前密码。攻击者可以利用此漏洞接管管理员帐户，从而提升其权限，导致系统被完全控制。这使得攻击者能够访问、修改或删除任何数据，并执行所有管理功能。

• 发现者: aibot88 @secsys from Fudan university