VULHUB ™

### 简要描述： ThinkSNS某功能平行权限 ### 详细说明： 问题发生在微吧模块 代码apps\weiba\index.action.php public function postEdit() 这个方法有判断权限 不过到了代码 行561这里并没有判断被编辑的帖子是否是当前用户发的！ ``` public function doPostEdit(){ $weiba = D('weiba_post')->where('post_id='.intval($_POST['post_id']))->field('weiba_id,attach')->find(); if ( !CheckWeibaPermission( '' , $weiba['weiba_id'] ,'weiba_edit') ){ if ( !CheckPermission('weiba_normal','weiba_edit') ){ $this->error('对不起，您没有权限进行该操作！',true); } } $checkContent = str_replace('&nbsp;', '', $_POST['content']); $checkContent = str_replace('<br />', '', $checkContent); $checkContent = str_replace('<p>', '', $checkContent); $checkContent = str_replace('</p>', '', $checkContent); $checkContents = preg_replace('/<img(.*?)src=/i','img',$checkContent); $checkContents = preg_replace('/<embed(.*?)src=/i','img',$checkContents); if(strlen(t($_POST['title']))==0) $this->error('帖子标题不能为空',true); if(strlen(t($checkContents))==0) $this->error('帖子内容不能为空',true); preg_match_all('/./us',...

### 简要描述： ThinkSNS某功能平行权限 ### 详细说明： 问题发生在微吧模块 代码apps\weiba\index.action.php public function postEdit() 这个方法有判断权限 不过到了代码 行561这里并没有判断被编辑的帖子是否是当前用户发的！ ``` public function doPostEdit(){ $weiba = D('weiba_post')->where('post_id='.intval($_POST['post_id']))->field('weiba_id,attach')->find(); if ( !CheckWeibaPermission( '' , $weiba['weiba_id'] ,'weiba_edit') ){ if ( !CheckPermission('weiba_normal','weiba_edit') ){ $this->error('对不起，您没有权限进行该操作！',true); } } $checkContent = str_replace('&nbsp;', '', $_POST['content']); $checkContent = str_replace('<br />', '', $checkContent); $checkContent = str_replace('<p>', '', $checkContent); $checkContent = str_replace('</p>', '', $checkContent); $checkContents = preg_replace('/<img(.*?)src=/i','img',$checkContent); $checkContents = preg_replace('/<embed(.*?)src=/i','img',$checkContents); if(strlen(t($_POST['title']))==0) $this->error('帖子标题不能为空',true); if(strlen(t($checkContents))==0) $this->error('帖子内容不能为空',true); preg_match_all('/./us', t($_POST['title']), $match); if(count($match[0])>30){ //汉字和字母都为一个字 $this->error('帖子标题不能超过30个字',true); } $post_id = intval($_POST['post_id']); $data['title'] = t($_POST['title']); $data['content'] = h($_POST['content']); $data['attach'] = ''; if ( $_POST['attach_ids'] ){ $attach = explode('|', $_POST['attach_ids']); foreach ( $attach as $k=>$a){ if ( !$a ){ unset($attach[$k]); } } $attach = array_map( 'intval' , $attach); $data['attach'] = serialize($attach); } $res = D('weiba_post')->where('post_id='.$post_id)->save($data); if($res!==false){ $post_detail = D('weiba_post')->where('post_id='.$post_id)->find(); if(intval($_POST['log'])==1){ D('log')->writeLog($post_detail['weiba_id'],$this->mid,'编辑了帖子“<a href="'.U('weiba/Index/postDetail',array('post_id'=>$post_id)).'" target="_blank">'.$post_detail['title'].'</a>”','posts'); } //同步到微博 $feedInfo = D('feed_data')->where('feed_id='.$post_detail['feed_id'])->find(); $datas = unserialize($feedInfo['feed_data']); $datas['content'] = '【'.$data['title'].'】'.getShort(t($checkContent),100).'&nbsp;'; $datas['body'] = $datas['content']; $data1['feed_data'] = serialize($datas); $data1['feed_content'] = $datas['content']; $feed_id = D('feed_data')->where('feed_id='.$post_detail['feed_id'])->save($data1); model('Cache')->rm('fd_'.$post_detail['feed_id']); return $this->ajaxReturn($post_id, '编辑成功', 1); }else{ $this->error('编辑失败',true); } } ``` ### 漏洞证明： 第一步 用普通帐号 发布一个帖子 然后编辑 访问 /index.php?app=weiba&mod=Index&act=postEdit&post_id=1 [<img src="https://images.seebug.org/upload/201401/171534184078121e29dc37f742f59ff564ce2c5b.jpg" alt="thinksns_pxqx_1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/171534184078121e29dc37f742f59ff564ce2c5b.jpg) [<img src="https://images.seebug.org/upload/201401/171534303f3d13c90328d9cb1551f31171cb3c0b.jpg" alt="thinksns_pxqx_2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/171534303f3d13c90328d9cb1551f31171cb3c0b.jpg)