Forgejo 安全漏洞(CVE-2023-49948) 復現

kr0x02發表於2024-11-10

影響:
攻擊者透過在URL中新增.rss(或其他副檔名)來測試私有使用者賬戶的存在。攻擊者可以利用該漏洞獲取敏感資訊,增加隱私風險
將個人賬號設定為私有

`
https://codeberg.org/forgejo/forgejo/commit/d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d

routers/web/user/home.go

@ -821,6 +821,11 @@ func UsernameSubRoute(ctx *context.Context) {
reloadParam := func(suffix string) (success bool) {
ctx.SetParams("username", strings.TrimSuffix(username, suffix))
context_service.UserAssignmentWeb()(ctx)
// check view permissions
if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
return false
}
return !ctx.Written()
}
switch {`

完整程式碼
func UsernameSubRoute(ctx *context.Context) {
// WORKAROUND to support usernames with "." in it
// https://github.com/go-chi/chi/issues/781
username := ctx.Params("username")
reloadParam := func(suffix string) (success bool) {
ctx.SetParams("username", strings.TrimSuffix(username, suffix))

	context_service.UserAssignmentWeb()(ctx)
	// check view permissions
	if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
		ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
		return false
	}
	return !ctx.Written()
}
switch {
case strings.HasSuffix(username, ".png"):
	if reloadParam(".png") {
		AvatarByUserName(ctx)
	}
case strings.HasSuffix(username, ".keys"):
	if reloadParam(".keys") {
		ShowSSHKeys(ctx)
	}
case strings.HasSuffix(username, ".gpg"):
	if reloadParam(".gpg") {
		ShowGPGKeys(ctx)
	}
case strings.HasSuffix(username, ".rss"):
	if !setting.Other.EnableFeed {
		ctx.Error(http.StatusNotFound)
		return
	}
	if reloadParam(".rss") {
		context_service.UserAssignmentWeb()(ctx)
		feed.ShowUserFeedRSS(ctx)
	}
case strings.HasSuffix(username, ".atom"):
	if !setting.Other.EnableFeed {
		ctx.Error(http.StatusNotFound)
		return
	}
	if reloadParam(".atom") {
		feed.ShowUserFeedAtom(ctx)
	}

賬號設定為隱私狀態,透過新增對應副檔名可以判斷使用者是否存在。

相關文章