search

zoujingli / ThinkAdmin

基于 ThinkPHP6 的极简后台管理系统,内置注解权限、异步多任务、应用插件生态等,支持类 PaaS 更新公共模块和应用插件,插件可本地化定制开发。
https://thinkadmin.top
MIT License
2.19k stars 840 forks source link

ThinkAdmin V4.0 authority control&Information Disclosure vulnerability #173

Closed xzoya closed 5 years ago

xzoya commented 5 years ago

There is a authority control&Information Disclosure vulnerability inThinkAdmin v4.0. As admin,if you change your password,your cookie won't become invalid. And it won't become invalid until the end of Life Cycle.So if attackers got admin's cookie,though traces of the attackers were found,and admin change his password,but attackers still can enter the managed-system. POC: 1:Supposed the attacker got admin's cookie. 5`SS02%UA{(7`VFIUD165@Y

2:We use Edit_this_cookie to change cookie . 7H 6(Q68T7GFSWPII~F9VDD

3:Admin change his own password

7~6OJ9K{R_AUIQ4%(~MU3AC

4:We can see attackers still have access to this manage system.

U58B{OKL9D2FWANP_HO{QA

I have analysised source code that result in this vulnerabilty. The problem present to ..\application\admin\controller\User.php

The original source code is: public function pass() { if ($this->request->isGet()) { $this->assign('verify', false); return $this->_form($this->table, 'pass'); } $post = $this->request->post(); if ($post['password'] !== $post['repassword']) { $this->error('两次输入的密码不一致!'); } $data = ['id' => $post['id'], 'password' => md5($post['password'])]; if (DataService::save($this->table, $data, 'id')) { $this->success('密码修改成功,下次请使用新密码登录!', ''); } $this->error('密码修改失败,请稍候再试!'); }

And for this,I have make a padding. public function pass() { if ($this->request->isGet()) { $this->assign('verify', false); return $this->_form($this->table, 'pass'); } $post = $this->request->post(); if ($post['password'] !== $post['repassword']) { $this->error('两次输入的密码不一致!'); } $data = ['id' => $post['id'], 'password' => md5($post['password'])]; if (DataService::save($this->table, $data, 'id')) { /* $this->success('密码修改成功,下次请使用新密码登录!', '');*/ if (session('id')) { LogService::write('系统管理', '用户退出系统成功'); } session('id', null); session_destroy(); $this->success('修改成功,请重新登陆!', '@admin/login'); } $this->error('密码修改失败,请稍候再试!'); }

Author:schur happyhackingschur@gmail.com

zoujingli commented 5 years ago

这个问题很难避免,基于Tp默认机制的Session控制,串改了Cookie从而获取到对应用户的权限,目前新版本大多数操作已经加入了CSRF,但也不能完全解决这个问题,因为这个也算是正常登录了,新版本中cookie配置配置httponly和超时时间,已经尽量避免这些问题了

zoujingli commented 5 years ago

目前cookie的配置 image 另外sessionvar_session_id可以配置为空,不自动接收session_id