There is a Insecure Permissions vulnerability exists in OneBlog <= 2.2.8

[Suggested description]
Insecure Permissions vulnerability exists in OneBlog.Low level administrators can delete high-level administrators beyond their authority (including administrators with the highest authority).

[Vulnerability Type]
Insecure Permissions

[Vendor of Product] 
https://github.com/zhangyd-c/OneBlog

[Affected Product Code Base] 
<= 2.2.8

[Affected Component] 
POST /user/remove HTTP/1.1
Host: localhost:8086
Content-Length: 5
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8086
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8086/users
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms_token=c820882773ab4b6b9719916981b3e9b7; JSESSIONID=c45212ed-03a9-499c-810b-cf5c28e4d5b1
Connection: close

ids= 3（The IDS value is controllable. Any administrator can add, delete, modify and query the data of other administrator users by modifying the IDS value）

[Attack Type] 
Remote

[Vulnerability details]

first, prepare two test accounts with different levels.
Senior administrator admin
![image-20211229164244458](https://user-images.githubusercontent.com/85676107/147647201-cb54a0f2-34fc-4938-9352-7815d636b146.png)
Low level administrator root123
![image-20211229164427567](https://user-images.githubusercontent.com/85676107/147647235-bcfc9ef7-e75a-44ed-a219-402b3be9b9e6.png)
Step 2: log in to the system with root123 and enter the user management page
![image-20211229165138189](https://user-images.githubusercontent.com/85676107/147647266-38957220-6a81-415c-8828-214ebd5634ea.png)
Step 3: click the delete button to directly delete the administrator user admin
![image-20211229165336565](https://user-images.githubusercontent.com/85676107/147647301-53cb95a1-bf48-4548-8cd8-13cf145d418c.png)
Delete succeeded！

In addition, you can also use burpsuite to capture packets and delete any user (including yourself) by modifying the value of ids. This is a logical vulnerability because the default secondary rule of the system is that you cannot delete yourself)

The first step is to log in to the background with root123 account and enter user management.
![image-20211229170717287](https://user-images.githubusercontent.com/85676107/147647380-54f14326-4d6f-405e-8bc4-61056c226bc2.png)
Step 2: after the packet capturing mode is enabled, click the delete button corresponding to user test
![image-20211229171345364](https://user-images.githubusercontent.com/85676107/147647418-1a45d433-45c9-4b78-bc67-e087db3c9f48.png)
You can delete any user by modifying the value of IDS. Here, I modify the value of IDS to the value of the currently logged in user.
![image-20211229171533787](https://user-images.githubusercontent.com/85676107/147647670-1431abf2-b905-421e-a1f7-c683bc3cabd4.png)
Delete succeeded！



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

There is a Insecure Permissions vulnerability exists in OneBlog <= 2.2.8 #29

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

There is a Insecure Permissions vulnerability exists in OneBlog <= 2.2.8 #29

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions