Current description

OneBlog v2.3.4 is vulnerable to insecure privileges. Low-level administrators can reset the passwords of high-level administrators who exceed their permissions.

vulnerability recurrence

First log in to the background using the low-privileged user admin/123456，This is a low-privileged user

Click the modify password function, enter the old password and the new password, and then use burpsuite to crawl the packet

POST /passport/updatePwd HTTP/1.1
Host: localhost:8085
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Origin: http://localhost:8085
Connection: close
Referer: http://localhost:8085/
Cookie: session_user="93lkCfVDA258ElC3HuO7gUY4xGkEK1BFLktUlzaQ+c8="; Hm_lvt_1040d081eea13b44d84a4af639640d51=1654896251; pageno_cookie=1; SHIRO_SESSION_ID=47e409dd-e488-4e2f-8a68-42ae7cd2de9c; 

id=2&password=123456&newPassword=1234567&newPasswordRepeat=1234567

Modify the id parameter to the id of another user, Because there is no verification here that the user id is consistent with the current user.

If the passwords of other users with the same permissions are the same as the password fields passed in, you can change the passwords of users with the same permissions horizontally. If the password of the highly privileged user is the same as the password field passed in, you can change the password of the high privileged account vertically. This feature does not verify that the password field is consistent with the password of the currently logged-in user, so password can be entered at will

Change id to 1. The user with an ID of 1 is the root user with the highest authority, because the password of the root user is the same as the 123456 passed in by password, so it is prompted that the modification was successful, and then you are required to log in again.

Log in to the root account again and find that the original password is no longer available.

Log in successfully with the new password

You can also break the brute force to crack the password field and traverse the id field to try to change other users' passwords in batches.

You can see that the passwords of users with id 5 and 6 have been modified successfully.

Vulnerability analysis

com.zyd.blog.controller.PassportController

Reset the password in the updatePwd method of the / updatePwd path

Follow the com.zyd.blog.business.service.impl#updatePwd ：

First, obtain the User object according to the user id passed by the front-end user. If the User is not null, determine whether the password field passed by the user is consistent with the user password corresponding to the id, and if so, reset the password.

So in fact, neither verifying whether the user id is the currently logged in user, nor verifying that the original password is the password of the current user, which eventually leads to ultra vires vulnerability.