乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-12: 细节已通知厂商并且等待厂商处理中 2014-08-13: 厂商已经确认,细节仅向厂商公开 2014-10-07: 细节向核心白帽子及相关领域专家公开 2014-10-17: 细节向普通白帽子公开 2014-10-27: 细节向实习白帽子公开 2014-11-10: 厂商已经修复漏洞并主动公开,细节向公众公开
RT
mod_user.php
public function save_profile() { $user_info =@ ParamHolder::get('user', array()); $extend_info=& ParamHolder::get('extends', array()); if (sizeof($user_info) <= 0) { $this->assign('json', Toolkit::jsonERR(__('Missing user information!'))); return '_result'; } $user_id = SessionHolder::get('user/id',0); if (empty($user_id)){ $this->assign('json', Toolkit::jsonERR(__('Login first!'))); return '_result'; } $passwd_changed = false; try { $o_user = new User($user_id); if($o_user->s_role=='{admin}'){ $this->assign('json', Toolkit::jsonERR(__('Role Error!'))); return '_result'; } if ($user_info['email'] != $o_user->email) { /* Check duplicates */ if ($o_user->count("email=?", array($user_info['email'])) > 0) { $this->assign('json', Toolkit::jsonERR(__('User E-mail address exists!'))); return '_result'; } } $custom_fields=array(); $fields= UserField::findAll2(" showinlist='1' "," order by i_order"); foreach($fields as $fieldinfo){ $fieldname="field".$fieldinfo['id']; $fieldtype=$fieldinfo['field_type']; $propname=$fieldinfo['label']; $isrequired=$fieldinfo['required']; if($isrequired=='1' && ($fieldtype == 0 && (!isset($user_info[$propname]) || UserField::trim($user_info[$propname])=='') || $fieldtype != 0 &&(!isset($extend_info[$fieldname]) ||UserField::trim($extend_info[$fieldname])==''))){ $label=UserField::getUserDefineLabel($fieldinfo); $this->assign('json', Toolkit::jsonERR(__('The field cannot be empty!').":{$label}")); return '_result'; }else if($fieldtype != 0){ if(isset($extend_info[$fieldname]) && UserField::trim($extend_info[$fieldname])!=''){ $custom_fields[$fieldname] =$extend_info[$fieldname]; } } } $user_info['params'] =json_encode($custom_fields); $o_user->set($user_info); /* Check password */ $passwd_info =@ ParamHolder::get('passwd', array()); if (sizeof($passwd_info) != 2) { $this->assign('json', Toolkit::jsonERR(__('Invalid Password!'))); return '_result'; } if (strlen(trim($passwd_info['passwd'])) > 0 || strlen(trim($passwd_info['re_passwd'])) > 0) { if ($passwd_info['passwd'] == $passwd_info['re_passwd']) { $o_user->passwd = sha1($passwd_info['passwd']); $passwd_changed = true; } } $o_user->save(); } catch (Exception $ex) { $this->assign('json', Toolkit::jsonERR($ex->getMessage())); return '_result'; } if ($passwd_changed) { SessionHolder::destroy(); $this->assign('json', Toolkit::jsonOK(array('forward' => 'index.php'))); } else { $forward_url = Html::uriquery('mod_user', 'edit_profile'); $this->assign('json', Toolkit::jsonOK(array('forward' => $forward_url))); } return '_result'; }
将post过来的数据循环带入了数据库,这个cms的 管理员和普通用户在一个表,判断权限的是s_role字段。我们注册用户,修改资料post数据。。添加参数
user%5Bs_role%5D={admin}
即可成功提升到管理员权限。
修复~么么哒
危害等级:中
漏洞Rank:10
确认时间:2014-08-13 18:01
补丁已经发布,请去官网更新补丁或下载最新安装包,谢谢。
2014-08-13:谢谢!