إرسال #850792: Craftcms CMS 5.10.1 Authorization Bypassالمعلومات

عنوانCraftcms CMS 5.10.1 Authorization Bypass
الوصفMissing Authorization Check Allows Non-Admin CP Users to Reorder Global Sets The `reorder-sets` action in Craft CMS's `GlobalsController` is missing the `requireAdmin()` check that the adjacent `save-set` and `delete-set` actions both enforce. Any authenticated CP user can POST to `/actions/globals/reorder-sets` and permanently reorder all global sets in the project config, regardless of whether they have admin access. The reordering is written through to the project config and persists across requests. ### Details `GlobalsController` exposes three administrative actions for managing global set structure. Two of them gate on admin status; the third does not: ```php // vendor/craftcms/cms/src/controllers/GlobalsController.php public function actionSaveSet(): ?Response { $this->requirePostRequest(); $this->requireAdmin(); // enforced // ... } public function actionReorderSets(): Response { $this->requirePostRequest(); $this->requireAcceptsJson(); // requireAdmin() is absent $setIds = Json::decode($this->request->getRequiredBodyParam('ids')); Craft::$app->getGlobals()->reorderSets($setIds); return $this->asSuccess(); } public function actionDeleteSet(): Response { $this->requirePostRequest(); $this->requireAcceptsJson(); $this->requireAdmin(); // enforced // ... } ``` `reorderSets` writes the new order into the project config via `$projectConfig->set()`: ```php // vendor/craftcms/cms/src/services/Globals.php public function reorderSets(array $setIds): bool { $projectConfig = Craft::$app->getProjectConfig(); $uidsByIds = []; foreach ($setIds as $setId) { $uidsByIds[$setId] = Db::uidById(Table::GLOBALSETS, $setId); } foreach ($uidsByIds as $setId => $uid) { $sortOrder = array_search($setId, $setIds) + 1; $projectConfig->set(ProjectConfig::PATH_GLOBAL_SETS . '.' . $uid . '.sortOrder', $sortOrder); } return true; } ``` The project config change is applied immediately and persisted. Because any authenticated CP user satisfies `requirePostRequest()` and `requireAcceptsJson()`, the effective access control for this action is only "has a CP session."
المصدر⚠️ https://github.com/craftcms/cms/commit/9bd05c91e6a7e6da5e949ec41a31c220c059aa04
المستخدم
 geochen (UID 78995)
ارسال07/06/2026 05:24 AM (29 أيام منذ)
الاعتدال05/07/2026 08:26 PM (29 days later)
الحالةتمت الموافقة
إدخال VulDB376387 [Craft CMS حتى 4.18.0.1 reorder-sets Endpoint GlobalsController.php actionReorderSets تجاوز الصلاحيات]
النقاط20

Do you know our Splunk app?

Download it now for free!