search

javahuang / SurveyKing

Make a better survey system.
https://surveyking.cn
MIT License
3.34k stars 506 forks source link

user's old session still alive after admin delete user #57

Open menghaining opened 6 months ago

menghaining commented 6 months ago

Description

The user's session is still active after the admin deletes this user. This can cause the Escalation of Privileges.

Affected version

v1.3.1, also the version in the latest docker version

updated at Nov 10, 2022

Attack vector(s)

Attacker obtains user1's sessionid. Admin delete user1. Attacker can continue attacking.

POC

  1. user1 login.

    image image

  2. admin login and successfully delete user1.

    image

  3. craft request using user1's old session, can still view information.

    image