Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ThinkAdmin V4.0 authority control&Information Disclosure vulnerability #173

Closed
xzoya opened this issue Apr 6, 2019 · 2 comments
Closed

ThinkAdmin V4.0 authority control&Information Disclosure vulnerability #173

xzoya opened this issue Apr 6, 2019 · 2 comments

Comments

@xzoya
Copy link

xzoya commented Apr 6, 2019

There is a authority control&Information Disclosure vulnerability inThinkAdmin v4.0.
As admin,if you change your password,your cookie won't become invalid. And it won't become invalid until the end of Life Cycle.So if attackers got admin's cookie,though traces of the attackers were found,and admin change his password,but attackers still can enter the managed-system.
POC:
1:Supposed the attacker got admin's cookie.
5SS02%UA{(7VFIUD165@Y

2:We use Edit_this_cookie to change cookie .
7H 6(Q68T7GFSWPII~F9VDD

3:Admin change his own password

7~6OJ9K{R_AUIQ4%(~MU3AC

4:We can see attackers still have access to this manage system.

U58B{OKL9D2FWANP_HO{QA

I have analysised source code that result in this vulnerabilty.
The problem present to ..\application\admin\controller\User.php

The original source code is:
public function pass() { if ($this->request->isGet()) { $this->assign('verify', false); return $this->_form($this->table, 'pass'); } $post = $this->request->post(); if ($post['password'] !== $post['repassword']) { $this->error('两次输入的密码不一致!'); } $data = ['id' => $post['id'], 'password' => md5($post['password'])]; if (DataService::save($this->table, $data, 'id')) { $this->success('密码修改成功,下次请使用新密码登录!', ''); } $this->error('密码修改失败,请稍候再试!'); }

And for this,I have make a padding.
public function pass() { if ($this->request->isGet()) { $this->assign('verify', false); return $this->_form($this->table, 'pass'); } $post = $this->request->post(); if ($post['password'] !== $post['repassword']) { $this->error('两次输入的密码不一致!'); } $data = ['id' => $post['id'], 'password' => md5($post['password'])]; if (DataService::save($this->table, $data, 'id')) { /* $this->success('密码修改成功,下次请使用新密码登录!', '');*/ if (session('id')) { LogService::write('系统管理', '用户退出系统成功'); } session('id', null); session_destroy(); $this->success('修改成功,请重新登陆!', '@admin/login'); } $this->error('密码修改失败,请稍候再试!'); }

Author:schur happyhackingschur@gmail.com
@zoujingli
Copy link
Owner

zoujingli commented Apr 8, 2019
edited
Loading

这个问题很难避免,基于Tp默认机制的Session控制,串改了Cookie从而获取到对应用户的权限,目前新版本大多数操作已经加入了CSRF,但也不能完全解决这个问题,因为这个也算是正常登录了,新版本中cookie配置配置httponly和超时时间,已经尽量避免这些问题了

@zoujingli
Copy link
Owner

目前cookie的配置
image
另外sessionvar_session_id可以配置为空,不自动接收session_id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zoujingli @xzoya