in zmister2016/mrdoc

2021-10-1618:15:19

hi-unc1e

www.huntr.dev

JSON

Description

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Proof of Concept

https://github.com/zmister2016/MrDoc/blob/master/app_admin/views.py#L985

# 普通用户修改密码
@login_required()
@logger.catch()
def change_pwd(request):
    if request.method == 'POST':
        try:
#  Without verifying the original password
            password = request.POST.get('password',None)
            password2 = request.POST.get('password2',None)
            print(password, password2)
            if password and password== password2:
                if len(password) &gt;= 6:
                    user = User.objects.get(id=request.user.id) 
                    user.set_password(password)
                    user.save()

Impact

This vulnerability is capable of

setting a new password for a user without knowing the original password，
in some certain cases （such as XSS attack）， the attacker could directly modify the password with just a valid session

recommended fix

validate the original password befroe saving new password

References

cwe.mitre.org/data/definitions/620.html

JSON