[Suggested description]

Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController.

[Vulnerability Type]

Logical vulnerability

[Vendor of Product]

https://gitee.com/oufu/ofcms

[Affected Product Code Base]

v1.1.4

[Affected Component]

[Attack Type]

Remote

[Impact Code execution]

true

[Vulnerability to prove]

First, log in to the database, check the initial password of the admin account, and the password is 'admin' after sha256 decryption.


Log in with the normal account and click to change the password.


Grab the request to change the password, and you can see that the user_id of the nomal account is 5.


Through the request package, you can find the reword method. From the source code, you can see that the incoming user_id is directly stored here, and the consistency between the current user cookie and the user_id is not verified, resulting in unauthorized modification of any user's password.


Here, change "user_id" to 1 and send the request, return 200 and display the processing success.

[Suggested description]

Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController.

[Vulnerability Type]

Logical vulnerability

[Vendor of Product]

https://gitee.com/oufu/ofcms

[Affected Product Code Base]

v1.1.4

[Affected Component]

[Attack Type]

Remote

[Impact Code execution]

true

[Vulnerability to prove]

First, log in to the database, check the initial password of the admin account, and the password is 'admin' after sha256 decryption.


Log in with the normal account and click to change the password.


Grab the request to change the password, and you can see that the user_id of the nomal account is 5.


Through the request package, you can find the reword method. From the source code, you can see that the incoming user_id is directly stored here, and the consistency between the current user cookie and the user_id is not verified, resulting in unauthorized modification of any user's password.


Here, change "user_id" to 1 and send the request, return 200 and display the processing success.


Log in to the admin account successfully with the new password "test".



Log in to the database and you can see that the password has been changed to "test".