Gửi #850792: Craftcms CMS 5.10.1 Authorization Bypassthông tin

tiêu đềCraftcms CMS 5.10.1 Authorization Bypass
Mô tảMissing Authorization Check Allows Non-Admin CP Users to Reorder Global Sets The `reorder-sets` action in Craft CMS's `GlobalsController` is missing the `requireAdmin()` check that the adjacent `save-set` and `delete-set` actions both enforce. Any authenticated CP user can POST to `/actions/globals/reorder-sets` and permanently reorder all global sets in the project config, regardless of whether they have admin access. The reordering is written through to the project config and persists across requests. ### Details `GlobalsController` exposes three administrative actions for managing global set structure. Two of them gate on admin status; the third does not: ```php // vendor/craftcms/cms/src/controllers/GlobalsController.php public function actionSaveSet(): ?Response { $this->requirePostRequest(); $this->requireAdmin(); // enforced // ... } public function actionReorderSets(): Response { $this->requirePostRequest(); $this->requireAcceptsJson(); // requireAdmin() is absent $setIds = Json::decode($this->request->getRequiredBodyParam('ids')); Craft::$app->getGlobals()->reorderSets($setIds); return $this->asSuccess(); } public function actionDeleteSet(): Response { $this->requirePostRequest(); $this->requireAcceptsJson(); $this->requireAdmin(); // enforced // ... } ``` `reorderSets` writes the new order into the project config via `$projectConfig->set()`: ```php // vendor/craftcms/cms/src/services/Globals.php public function reorderSets(array $setIds): bool { $projectConfig = Craft::$app->getProjectConfig(); $uidsByIds = []; foreach ($setIds as $setId) { $uidsByIds[$setId] = Db::uidById(Table::GLOBALSETS, $setId); } foreach ($uidsByIds as $setId => $uid) { $sortOrder = array_search($setId, $setIds) + 1; $projectConfig->set(ProjectConfig::PATH_GLOBAL_SETS . '.' . $uid . '.sortOrder', $sortOrder); } return true; } ``` The project config change is applied immediately and persisted. Because any authenticated CP user satisfies `requirePostRequest()` and `requireAcceptsJson()`, the effective access control for this action is only "has a CP session."
Nguồn⚠️ https://github.com/craftcms/cms/commit/9bd05c91e6a7e6da5e949ec41a31c220c059aa04
Người dùng
 geochen (UID 78995)
Đệ trình07/06/2026 05:24 (cách đây 29 ngày)
Kiểm duyệt05/07/2026 20:26 (29 days later)
Trạng tháiđược chấp nhận
Mục VulDB376387 [Craft CMS đến 4.18.0.1 reorder-sets Endpoint GlobalsController.php actionReorderSets nâng cao đặc quyền]
điểm20

Do you need the next level of professionalism?

Upgrade your account now!