乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-08: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-08-06: 厂商已经主动忽略漏洞,细节向公众公开
Tipask一处越权操作可非法操作他人回答
首先盯紧目标回答,比如这个问题的第一个回答:http://help.tipask.com/q-19260.html
F12看一下评论按钮的链接,搞到回答的ID:
ID是3608,然后访问:http://help.tipask.com/question/editanswer/3608/0.html
提交之,修改成功:
----------------------------------
问题出在: control/question.phpline323: function oneditanswer() { $navtitle = '修改回答'; $aid = $this->get[2] ? $this->get[2] : $this->post['aid']; $answer = $_ENV['answer']->get($aid); (!$answer) && $this->message("回答不存在或已被删除!", "STOP"); $question = $_ENV['question']->get($answer['qid']); $navlist = $_ENV['category']->get_navigation($question['cid'], true); if (isset($this->post['submit'])) { $content = $this->post['content']; $viewurl = urlmap('question/view/' . $question['id'], 2); //检查审核和内容外部URL过滤 $status = intval(2 != (2 & $this->setting['verify_question'])); $allow = $this->setting['allow_outer']; if (3 != $allow && has_outer($content)) { 0 == $allow && $this->message("内容包含外部链接,发布失败!", $viewurl); 1 == $allow && $status = 0; 2 == $allow && $content = filter_outer($content); } //检查违禁词 $contentarray = checkwords($content); 1 == $contentarray[0] && $status = 0; 2 == $contentarray[0] && $this->message("内容包含非法关键词,发布失败!", $viewurl); $content = $contentarray[1]; $_ENV['answer']->update_content($aid, $content, $status); if (0 == $status) { $this->message('修改回答成功!为了确保问答的质量,我们会对您的回答内容进行审核。请耐心等待......', $viewurl); } else { $this->message('修改回答成功!', $viewurl); } } include template("editanswer"); }
在348行跳到 model/answer.class.php的:line138: function update_content($aid, $content, $status = 0) { $this->db->query("UPDATE `" . DB_TABLEPRE . "answer` set content='$content',status=$status WHERE `id` =$aid"); }
sql语句没有判断userid就直接更新了回答内容,导致漏洞的产生
判断要修改的回答是不是用户自己的
未能联系到厂商或者厂商积极拒绝