| عنوان | iteachyou dreamer_cms 4.1.3 broken function level authorization |
|---|
| الوصف | A vertical privilege escalation vulnerability exists in the file download functionality of the CMS attachment management module. Unauthorized users (without admin permission)can exploit this vulnerability to download arbitrary system attachments, leading to potential sensitive data exposure.
### Exploitation Scenario
**Preconditions**:
1. Attacker has valid low-privilege user credentials
2. CMS system exposes `/admin/attachment/download` endpoint
**Attack Workflow**:
1. **Reconnaissance**:
- Attacker identifies accessible attachment IDs through:
- Brute-force ID enumeration (sequential/non-sequential)
- Information leaks from other API responses
- Social engineering (phishing legitimate users)
2. **Exploitation**:
http GET /admin/attachment/download?id=admin_restricted_file123 HTTP/1.1 Host: target-cms.com Cookie: JSESSIONID=attacker_session_token
3. **Impact Realization**:
- Server returns HTTP 200 with file stream
- Attacker obtains:
- Internal documents (PDF/XLS/DOC)
- Configuration files
- User PII data
- System backup files
### Technical Analysis
1. **Missing Defense Layers**:
- ❌ Shiro `@RequiresPermissions` annotation absent
- ❌ No ownership validation between `attachment.createBy` and current user
- ❌ No rate limiting/access logging for download operations
2. **Attack Surface Expansion**:
- All attachments become accessible through:
- IDOR (Insecure Direct Object Reference)
- Predictable Snowflake ID generation (`IdUtil.getSnowflakeNextIdStr()`)
- Impact severity increases with:
- Horizontal permission misconfiguration
- Admin-level attachments stored in system
---
## Evidence Indicators
- **Successful Exploitation**:
- HTTP 200 response with `Content-Disposition: attachment` header
- Absence of permission-related exceptions in server logs
- Matching timestamps between download request and file access events
- **Failed Exploitation**:
- HTTP 403 Forbidden (after proper fix implementation)
- Security exceptions logged for unauthorized access attempts
---
## Recommended Mitigations
@RequiresPermissions("system:attachment:download") // Add permission control
|
|---|
| المصدر | ⚠️ https://gitee.com/iteachyou/dreamer_cms/issues/IC13O1 |
|---|
| المستخدم | Anonymous User |
|---|
| ارسال | 14/04/2025 01:41 PM (1 سنة منذ) |
|---|
| الاعتدال | 26/04/2025 09:41 AM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 306313 [iteachyou Dreamer CMS حتى 4.1.3 Attachment download معرف تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|