Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] 严重漏洞,拿自己部署的QD的数据库DB文件恢复别人的QD站点,可以把别人的站点搞崩溃,我的已经被别人搞崩溃了 #493

Closed
4 tasks done
xuexiaokang opened this issue Jan 19, 2024 · 1 comment · Fixed by #494
Closed
4 tasks done

[Bug] 严重漏洞,拿自己部署的QD的数据库DB文件恢复别人的QD站点,可以把别人的站点搞崩溃,我的已经被别人搞崩溃了 #493

xuexiaokang opened this issue Jan 19, 2024 · 1 comment · Fixed by #494
Labels
bug Something isn't working

Comments

@xuexiaokang
Copy link

Verify steps

  • Tracker 我已经在 Issue Tracker 中找过我要提出的问题
  • Latest 我已经使用 最新源码 测试过,问题依旧存在
  • Core 这是 QD 框架存在的问题,并非我所使用的 QD 早期版本(如 20210628及之前版号 等)或模板的特定问题
  • Meaningful 我提交的不是无意义的 催促更新或修复 请求

QD Version

20230821

Bug on OS

Windows

Bug on Platform

Docker/Linux 64位

To Reproduce

拿自己部署的QD的数据库DB文件恢复别人的QD站点,可以把别人的站点搞崩溃,我的已经被别人搞崩溃了

Describe the Bug

应该是权限漏洞,没有限制普通用户上传DB数据库,从而导致整站崩溃

QD config

No response

QD log

File "/usr/src/app/db/user.py", line 153, in encrypt
        return crypto.aes_encrypt(data, userkey)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/src/app/libs/mcrypto.py", line 46, in aes_encrypt
        aes = AES.new(key, mode, iv)
              ^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/lib/python3.11/site-packages/Crypto/Cipher/AES.py", line 228, in new
        return _create_cipher(sys.modules[__name__], key, mode, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/lib/python3.11/site-packages/Crypto/Cipher/__init__.py", line 79, in _create_cipher
        return modes[mode](factory, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/lib/python3.11/site-packages/Crypto/Cipher/_mode_cbc.py", line 274, in _create_cbc_cipher
        cipher_state = factory._create_base_cipher(kwargs)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/lib/python3.11/site-packages/Crypto/Cipher/AES.py", line 89, in _create_base_cipher
        if len(key) not in key_size:
           ^^^^^^^^
    TypeError: object of type 'int' has no len()
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/lib/python3.11/site-packages/tornado/web.py", line 1786, in _execute
        result = await result
                 ^^^^^^^^^^^^
      File "/usr/src/app/web/handlers/login.py", line 265, in post
        await self.send_mail(user)
      File "/usr/src/app/web/handlers/login.py", line 298, in send_mail
        verified_code = await self.db.user.encrypt(user['id'], verified_code)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/src/app/db/user.py", line 155, in encrypt
        raise self.UserDBException('encrypt error')
    db.user.User.UserDBException: encrypt error

Expected behavior

这是个非常严重的漏洞,修复的同时建议能增加数据库自动备份的功能

Screenshots

No response
@xuexiaokang xuexiaokang added the bug Something isn't working label Jan 19, 2024
@acooler15
Copy link
Member

经过测试,的确存在“未验证管理员权限”的问题

acooler15 added a commit to acooler15/qd that referenced this issue Jan 21, 2024
@acooler15
Fix: recovery permission
7536d80 
fix qd-today#493
@acooler15 acooler15 mentioned this issue Jan 21, 2024
Merged
a76yyyy pushed a commit that referenced this issue Jan 21, 2024
@acooler15
Fix: recovery permission (#494)
8d6b90d 
fix #493
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: 恢复数据库时的权限验证问题 acooler15/qd
2 participants
@xuexiaokang @acooler15