Invia #557639: iteachyou dreamer_cms 4.1.3 broken function level authorizationinformazioni

Titoloiteachyou dreamer_cms 4.1.3 broken function level authorization
DescrizioneA vertical privilege escalation vulnerability exists in the file download functionality of the CMS attachment management module. Unauthorized users (without admin permission)can exploit this vulnerability to download arbitrary system attachments, leading to potential sensitive data exposure. ### Exploitation Scenario **Preconditions**: 1. Attacker has valid low-privilege user credentials 2. CMS system exposes `/admin/attachment/download` endpoint **Attack Workflow**: 1. **Reconnaissance**: - Attacker identifies accessible attachment IDs through: - Brute-force ID enumeration (sequential/non-sequential) - Information leaks from other API responses - Social engineering (phishing legitimate users) 2. **Exploitation**: http GET /admin/attachment/download?id=admin_restricted_file123 HTTP/1.1 Host: target-cms.com Cookie: JSESSIONID=attacker_session_token 3. **Impact Realization**: - Server returns HTTP 200 with file stream - Attacker obtains: - Internal documents (PDF/XLS/DOC) - Configuration files - User PII data - System backup files ### Technical Analysis 1. **Missing Defense Layers**: - ❌ Shiro `@RequiresPermissions` annotation absent - ❌ No ownership validation between `attachment.createBy` and current user - ❌ No rate limiting/access logging for download operations 2. **Attack Surface Expansion**: - All attachments become accessible through: - IDOR (Insecure Direct Object Reference) - Predictable Snowflake ID generation (`IdUtil.getSnowflakeNextIdStr()`) - Impact severity increases with: - Horizontal permission misconfiguration - Admin-level attachments stored in system --- ## Evidence Indicators - **Successful Exploitation**: - HTTP 200 response with `Content-Disposition: attachment` header - Absence of permission-related exceptions in server logs - Matching timestamps between download request and file access events - **Failed Exploitation**: - HTTP 403 Forbidden (after proper fix implementation) - Security exceptions logged for unauthorized access attempts --- ## Recommended Mitigations @RequiresPermissions("system:attachment:download") // Add permission control
Fonte⚠️ https://gitee.com/iteachyou/dreamer_cms/issues/IC13O1
Utente
 Anonymous User
Sottomissione14/04/2025 13:41 (1 Anno fa)
Moderazione26/04/2025 09:41 (12 days later)
StatoAccettato
Voce VulDB306313 [iteachyou Dreamer CMS fino a 4.1.3 Attachment download ID escalationi di privilegi]
Punti20

PrecedenteVisione D'ensembleIl prossimo

Interested in the pricing of exploits?

See the underground prices here!