| 제목 | Kodbox 1.64 Improper Access Controls |
|---|
| 설명 | kodbox’s OAuth integration contains a critical logic flaw. The login API user/index/loginSubmit accepts a client-supplied third JSON and uses only the type/unionid pair to look up a binding in the database and log the user in, without verifying any real OAuth callback, signature, state, or nonce. Separately, the plugin/oauth/bind&method=bind endpoint—CSRF-exempt and lacking server-side verification—allows an authenticated session to bind any attacker-chosen openid/unionid to its account.
By first binding their own unionid to a victim (e.g., via CSRF or any authenticated access) and then, from an unauthenticated context, submitting a forged third JSON containing that unionid, an attacker can reliably log in as the victim, including the root administrator. The fix requires rejecting raw client third data, validating all OAuth identities via trusted server-to-server flows, enforcing CSRF protection and POST-only on bind operations, and adding strong verification and auditing around unionid bindings. |
|---|
| 원천 | ⚠️ https://vulnplus-note.wetolink.com/share/IJW1LjsyomCQ |
|---|
| 사용자 | vulnplusbot (UID 96250) |
|---|
| 제출 | 2026. 03. 09. AM 04:26 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 03. 22. PM 12:40 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 352426 [kalcaddle kodbox 1.64 loginSubmit API index.class.php third 교차 사이트 요청 위조] |
|---|
| 포인트들 | 20 |
|---|