Submit #557639: iteachyou dreamer_cms 4.1.3 broken function level authorizationinfo

Titleiteachyou dreamer_cms 4.1.3 broken function level authorization
DescriptionA vertical privilege escalation vulnerability exists in the file download functionality of the CMS attachment management module. Unauthorized users (without admin permission)can exploit this vulnerability to download arbitrary system attachments, leading to potential sensitive data exposure. ### Exploitation Scenario **Preconditions**: 1. Attacker has valid low-privilege user credentials 2. CMS system exposes `/admin/attachment/download` endpoint **Attack Workflow**: 1. **Reconnaissance**: - Attacker identifies accessible attachment IDs through: - Brute-force ID enumeration (sequential/non-sequential) - Information leaks from other API responses - Social engineering (phishing legitimate users) 2. **Exploitation**: http GET /admin/attachment/download?id=admin_restricted_file123 HTTP/1.1 Host: target-cms.com Cookie: JSESSIONID=attacker_session_token 3. **Impact Realization**: - Server returns HTTP 200 with file stream - Attacker obtains: - Internal documents (PDF/XLS/DOC) - Configuration files - User PII data - System backup files ### Technical Analysis 1. **Missing Defense Layers**: - ❌ Shiro `@RequiresPermissions` annotation absent - ❌ No ownership validation between `attachment.createBy` and current user - ❌ No rate limiting/access logging for download operations 2. **Attack Surface Expansion**: - All attachments become accessible through: - IDOR (Insecure Direct Object Reference) - Predictable Snowflake ID generation (`IdUtil.getSnowflakeNextIdStr()`) - Impact severity increases with: - Horizontal permission misconfiguration - Admin-level attachments stored in system --- ## Evidence Indicators - **Successful Exploitation**: - HTTP 200 response with `Content-Disposition: attachment` header - Absence of permission-related exceptions in server logs - Matching timestamps between download request and file access events - **Failed Exploitation**: - HTTP 403 Forbidden (after proper fix implementation) - Security exceptions logged for unauthorized access attempts --- ## Recommended Mitigations @RequiresPermissions("system:attachment:download") // Add permission control
Source⚠️ https://gitee.com/iteachyou/dreamer_cms/issues/IC13O1
User
 Anonymous User
Submission04/14/2025 13:41 (1 Year ago)
Moderation04/26/2025 09:41 (12 days later)
StatusAccepted
VulDB entry306313 [iteachyou Dreamer CMS up to 4.1.3 Attachment download ID improper authorization]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!