Submeter #557639: iteachyou dreamer_cms 4.1.3 broken function level authorizationinformação

Títuloiteachyou dreamer_cms 4.1.3 broken function level authorization
DescriçãoA vertical privilege escalation vulnerability exists in the file download functionality of the CMS attachment management module. Unauthorized users (without admin permission)can exploit this vulnerability to download arbitrary system attachments, leading to potential sensitive data exposure. ### Exploitation Scenario **Preconditions**: 1. Attacker has valid low-privilege user credentials 2. CMS system exposes `/admin/attachment/download` endpoint **Attack Workflow**: 1. **Reconnaissance**: - Attacker identifies accessible attachment IDs through: - Brute-force ID enumeration (sequential/non-sequential) - Information leaks from other API responses - Social engineering (phishing legitimate users) 2. **Exploitation**: http GET /admin/attachment/download?id=admin_restricted_file123 HTTP/1.1 Host: target-cms.com Cookie: JSESSIONID=attacker_session_token 3. **Impact Realization**: - Server returns HTTP 200 with file stream - Attacker obtains: - Internal documents (PDF/XLS/DOC) - Configuration files - User PII data - System backup files ### Technical Analysis 1. **Missing Defense Layers**: - ❌ Shiro `@RequiresPermissions` annotation absent - ❌ No ownership validation between `attachment.createBy` and current user - ❌ No rate limiting/access logging for download operations 2. **Attack Surface Expansion**: - All attachments become accessible through: - IDOR (Insecure Direct Object Reference) - Predictable Snowflake ID generation (`IdUtil.getSnowflakeNextIdStr()`) - Impact severity increases with: - Horizontal permission misconfiguration - Admin-level attachments stored in system --- ## Evidence Indicators - **Successful Exploitation**: - HTTP 200 response with `Content-Disposition: attachment` header - Absence of permission-related exceptions in server logs - Matching timestamps between download request and file access events - **Failed Exploitation**: - HTTP 403 Forbidden (after proper fix implementation) - Security exceptions logged for unauthorized access attempts --- ## Recommended Mitigations @RequiresPermissions("system:attachment:download") // Add permission control
Fonte⚠️ https://gitee.com/iteachyou/dreamer_cms/issues/IC13O1
Utilizador
 Anonymous User
Submissão14/04/2025 13h41 (há 1 Ano)
Moderação26/04/2025 09h41 (12 days later)
EstadoAceite
Entrada VulDB306313 [iteachyou Dreamer CMS até 4.1.3 Attachment download ID Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Want to know what is going to be exploited?

We predict KEV entries!