Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a Elevation of privilege vulnerability that can control whole website #1

Open
xinanzai opened this issue Nov 18, 2018 · 0 comments

Comments

@xinanzai
Copy link

An issue was discovered in hitshop 1.0beta.

There is a Elevation of privilege vulnerability which allows control the whole website

Vulnerability trigger point

http://localhost/admin.php/user/add

1.Add a normal store keeper
image

2.Login use store keeper jurisdiction,now we just have the privilege of commodity management.
image

3.Use this account add the other administrator privilege account
image

4.Login the fake admin account,and now you have all system privilege.
image

You can change the old administrators' password or any other info of this website
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant