This repository was archived by the owner on Jan 12, 2021. It is now read-only.
This repository was archived by the owner on Jan 12, 2021. It is now read-only.
There are four CSRF vulnerability that can delete user and etc #42
Open
Description
vulnerability file: https://github.com/creditease-sec/insight/blob/open-source/srcpm/app/admin/views.py
- line 61
@admin.route('/login_user_delete/<id>')
@permission_required('admin.login_user_delete')
def login_user_delete(id):
lg_user_del = LoginUser.query.get_or_404(id)
db.session.delete(lg_user_del)
flash(u'删除用户 %s 成功' %lg_user_del.username)
return redirect(url_for('admin.login_user_read'))- line 154
@admin.route('/role_perm_delete/<role_name>')
@permission_required('admin.role_perm_delete')
def role_perm_delete(role_name):
role_perm_del = Permission.query.filter_by(role_name=role_name)
#删除权限
for r_p_d in role_perm_del:
db.session.delete(r_p_d)
flash(u'删除权限成功')
#删除角色
role = Role.query.filter_by(role_name=role_name).first()
db.session.delete(role)
flash(u'删除权限 %s 成功' %role_name)
return redirect(url_for('admin.role_read'))- line 221
@admin.route('/depart_delete/<id>')
@permission_required('admin.depart_delete')
def depart_delete(id):
depart_del = Depart.query.get_or_404(id)
db.session.delete(depart_del)
flash(u'删除部门成功')
return redirect(url_for('admin.depart_read'))- line 293
@admin.route('/user_delete/<id>')
@permission_required('admin.user_delete')
def user_delete(id):
user_del = User.query.get_or_404(id)
db.session.delete(user_del)
flash(u'删除人员成功')
return redirect(url_for('admin.user_read'))poc:
- Post one drops or comment contains this
- Wait admin to login and access the post.After admin query the img , one user will be deleted.
Metadata
Metadata
Assignees
Labels
No labels