Modify other people's articles by modifying the data package in cherry-toto/jizhicms


Reported on

Aug 8th 2022


The program does not check whether the originator of the request has this permission. I can modify the content of other people's articles and even modify the content by capturing data packets, even if I am not the owner of the article, even if I do not have permission in this respect

Proof of Concept

$data = $this->frparam();
            $data = get_fields_data($data,'article');
            if(!$this->frparam('seo_title',1) && $this->frparam('config_seotitle')==1){
                $data['seo_title'] = $data['title'];
            if(!$this->frparam('description',1) && $this->frparam('config_description')==1){
                $data['description'] = newstr(strip_tags($data['body']),200);
            if(!$this->frparam('litpic',1) && $this->frparam('config_litpic')==1){
                    $r = preg_match($pattern,$_POST['body'],$matchContent);
                        $data['litpic'] = $matchContent[1];
                        $data['litpic'] = '';

#EXP // PoC.js var payload = ...

OST /user/release.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 156
Origin: http://localhost
Connection: close
Referer: http://localhost/user/release.html
Cookie: PHPSESSID=pgbnunsra5bovtngp8g29ue7es



The program does not check whether the initiator of the request has this permission. I can modify the content of other people's articles, or even the attribution, by capturing data packets

We are processing your report and will contact the cherry-toto/jizhicms team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the cherry-toto/jizhicms team and are waiting to hear back a year ago
留恋风 validated this vulnerability a year ago

Thank you for your report. I will fix it in the next version!

breakalegcml has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the cherry-toto/jizhicms team. We will try again in 7 days. a year ago
留恋风 marked this as fixed in 2.3.6 with commit e1abb4 a year ago
留恋风 has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


Hello, could you please apply for CVE

to join this conversation