当前位置: 首页 > news >正文

MCMS issue3: `getFromFengMian` bypasses `cms:content:view`

news 2026/6/18 13:02:41

Vulnerability call chain

1.1 Summary

MCMS has a missing authorization vulnerability: getFromFengMian bypasses cms:content:view. Unauthorized users can read article fields including category relation, display status, type, details, out-link, and hit count

  • Attack precondition: The attacker is an authenticated backend manager user without cms:content:view, and knows or can guess a categoryId
  • Security impact: Unauthorized users can read article fields including category relation, display status, type, details, out-link, and hit count

1.2 Exploit path

Request GET /ms/cms/content/getFromFengMian?categoryId=.... The endpoint validates only that categoryId is non-empty, queries content by category, and returns the first ContentEntity

1.3 Key code evidence

  1. src/main/java/net/mingsoft/cms/action/ContentAction.java

Evidence location: src/main/java/net/mingsoft/cms/action/ContentAction.java#L165
2. src/main/java/net/mingsoft/cms/action/ContentAction.java

Evidence location: src/main/java/net/mingsoft/cms/action/ContentAction.java#L171
3. src/main/java/net/mingsoft/cms/action/ContentAction.java

Evidence location: src/main/java/net/mingsoft/cms/action/ContentAction.java#L175
4. src/main/java/net/mingsoft/cms/action/ContentAction.java

Evidence location: src/main/java/net/mingsoft/cms/action/ContentAction.java#L123

3. Root Cause Analysis

Root Cause 1: Missing server-side authorization on the vulnerable operation.

The endpoint accepts user-controlled authorization-sensitive identifiers or fields, but the write/read path does not prove that the current caller may operate on the target object.

Root Cause 2: Missing object-scope or grant-bound validation.

The implementation relies on endpoint access, UI filtering, or object existence checks instead of enforcing target ownership, tenant boundary, role ceiling, or grantable-resource constraints at the service layer.

Add @RequiresPermissions("cms:content:view") and apply category/content visibility or scope checks before returning data

5. Verification after fix

  • Unauthorized callers receive HTTP 403 or equivalent rejection.
  • Out-of-scope target identifiers are rejected before database writes or sensitive reads.
  • Role, permission, tenant, organization, ownership, or grant-bound ceilings are enforced server-side.
  • Direct HTTP requests are rejected even when front-end controls are hidden.
http://www.jsqmd.com/news/1035918/

相关文章:

  • jku远程公钥加载
  • NetEase-Cloud-Music-DiscordRPC:如何在Discord上实时同步你的网易云音乐播放状态
  • 株洲黄金奢侈品回收一站式指南:湘奢汇(天元店)领衔靠谱门店推荐 - 生活测评小能手
  • 1N648-1整流二极管深度解析:从规格书到电路设计的实战指南
  • 2026年泰州静音箱式发电机组供应商:低噪节能与稳定供电核心优势深度解析 - 品牌发掘
  • webgoat-jwt代码审计
  • DSpace issue1: Relationship Creation Allows Unauthorized Author/Profile Binding
  • Web安全实战:从路径穿越漏洞剖析任意文件读取原理与防御
  • paperxie智能写作解析:一文读懂论文降重AIGC率双项优化功能
  • ZigBee Green Power 3.0:超低功耗物联网设备的通信架构与实战
  • 南宁官方备案黄金回收商户名录|省心卖金全套流程 - 奢侈品回收评测
  • 2026株洲黄金回收权威指南:湘奢汇(天元店)领衔5大正规机构深度评测与避坑攻略 - 生活测评小能手
  • GEO整站优化服务商评测:五大机构全链路优化能力大比拼 - GEORANK
  • 2026 制造业:实力雄厚的无油空压机厂家与品牌解析 - 品牌发掘
  • 大件寄件上门取货哪家便宜?2026真实比价攻略 - 快递物流资讯
  • AI驱动多设备兼容性测试:从视觉差异检测到智能工作流重构
  • MC33901 CAN收发器评估板实战:从芯片功能到电路调试全解析
  • jwt的hs256爆破
  • 深度解析:Spek音频频谱分析工具的技术原理与实战应用
  • NSK LDFT3232-1.5 高刚性双螺母滚珠丝杠
  • 2026澳洲海运时效全解析:快慢差在哪?附靠谱服务商推荐 - 热点观察
  • DSpace issue2: EPerson byEmail Search Leaks Account Authorization Properties
  • 2026西安焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • QQ截图独立版:终极免费截图工具完整使用指南
  • GPU 调度与 AI 推理优化:从独占模式到分时复用,算力资源的极致压榨
  • MCMS issue4: Content copy uses `cms:content:save` to read and clone source content
  • jwt修改kid指向已知文件加密绕过
  • Cursor Pro破解工具2025:解锁AI编程助手的完整功能体验
  • 2026深圳黄金回收领先者测评:权威夺冠,高价领跑 - 奢侈品回收测评
  • ATM网络APC流量控制算法:原理、参数计算与工程实践详解