Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There are four CSRF vulnerability that can delete user and etc #42

Open
crazywa1ker opened this issue Jan 22, 2019 · 1 comment

Comments

@crazywa1ker
Copy link

commented Jan 22, 2019

vulnerability file: https://github.com/creditease-sec/insight/blob/open-source/srcpm/app/admin/views.py

  1. line 61
@admin.route('/login_user_delete/<id>')
@permission_required('admin.login_user_delete')
def login_user_delete(id):
	lg_user_del = LoginUser.query.get_or_404(id)
	db.session.delete(lg_user_del)
	flash(u'删除用户 %s 成功' %lg_user_del.username)
	return redirect(url_for('admin.login_user_read'))
  1. line 154
@admin.route('/role_perm_delete/<role_name>')
@permission_required('admin.role_perm_delete')
def role_perm_delete(role_name):
	role_perm_del = Permission.query.filter_by(role_name=role_name)
	#删除权限
	for r_p_d in role_perm_del:
		db.session.delete(r_p_d)
	flash(u'删除权限成功')
	#删除角色
	role = Role.query.filter_by(role_name=role_name).first()
	db.session.delete(role)
	flash(u'删除权限 %s 成功' %role_name)
	return redirect(url_for('admin.role_read'))
  1. line 221
@admin.route('/depart_delete/<id>')
@permission_required('admin.depart_delete')
def depart_delete(id):
	depart_del = Depart.query.get_or_404(id)
	db.session.delete(depart_del)
	flash(u'删除部门成功')
	return redirect(url_for('admin.depart_read'))
  1. line 293
@admin.route('/user_delete/<id>')
@permission_required('admin.user_delete')
def user_delete(id):
	user_del = User.query.get_or_404(id)
	db.session.delete(user_del)
	flash(u'删除人员成功')
	return redirect(url_for('admin.user_read'))

poc:

  1.  Post one drops or comment contains this
![](http://127.0.0.1:9000/srcpm/admin/login_user_delete/[user id])
  1. Wait admin to login and access the post.After admin query the img , one user will be deleted.
@sunmlightm

This comment has been minimized.

Copy link
Contributor

commented Feb 15, 2019

漏洞已修复,感谢对insight系统的关注,望以后多多交流,谢谢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.