| 标题 | 翱云科技 PbootCMS 3.2.12 Backend Arbitrary Field Modification via field and value Paramet |
|---|
| 描述 | Title
PbootCMS 3.2.12 Backend Arbitrary Field Modification via field and value Parameters
Product
PbootCMS
Affected Version
3.2.12
Vulnerability Type
CWE-284: Improper Access Control
CWE-639: Authorization Bypass Through User-Controlled Key
Severity
High
Suggested CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Base Score: 8.1
Overview
A backend quick-modification feature accepts attacker-controlled field and value parameters and uses them to build update expressions. Because the code does not enforce an allowlist of editable attributes, a lower-privileged administrator may modify sensitive fields such as password hashes for other administrator accounts.
Audit Methodology
The issue was identified through static analysis of backend quick-edit functionality and field-level authorization behavior.
Audit Workflow
Reviewed backend quick-edit patterns in administrative controllers.
Located a dynamic field update path in apps/admin/controller/system/UserController.php.
Confirmed that the var filter only restricts characters and does not restrict allowed field names.
Constructed an administrative takeover scenario by setting another account's password hash.
Affected Code Location
File: apps/admin/controller/system/UserController.php
if (($field = get('field', 'var')) && ! is_null($value = get('value', 'var'))) {
if ($this->model->modUser($ucode, "$field='$value',update_user='" . session('username') . "'")) {
Root Cause
The application allows clients to choose which database field to modify. Character filtering is incorrectly treated as a sufficient control, but it does not prevent modification of sensitive attributes.
Reproduction Steps
GET /admin/User/mod?ucode=10002&field=password&value=14e1b600b1fd579f47433b88e8d85291
The supplied hash corresponds to md5(md5('123456')).
Impact
Horizontal privilege abuse against peer administrators
Potential administrative account takeover
Unauthorized modification of sensitive user attributes
Remediation
Do not accept arbitrary field names from client input
Enforce explicit allowlists of editable attributes
Apply object-level and field-level authorization checks |
|---|
| 来源 | ⚠️ https://github.com/zzj-create/cvetest/blob/main/VULN-06_BACKEND_ARBITRARY_FIELD_MODIFICATION_REPORT_EN.md#vuln-06-pbootcms-3212-backend-arbitrary-field-modification |
|---|
| 用户 | zmjjkk (UID 96182) |
|---|
| 提交 | 2026-03-06 12時49分 (3 月前) |
|---|
| 管理 | 2026-03-20 15時35分 (14 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 352079 [PbootCMS 直到 3.2.12 Backend UserController.php 字段 权限提升] |
|---|
| 积分 | 20 |
|---|