修复建议:
严格控制用户组权限
这个漏洞目前影响至禅道最新版9.1.2(2017-04-19)
一、权限控制
①禅道的权限控制在module\common\model.php中的checkPriv()函数
// 1106行
public function checkPriv()
{
$module = $this->app->getModuleName();
$method = $this->app->getMethodName();
if(isset($this->app->user->modifyPassword) and $this->app->user->modifyPassword and $module != 'my' and $method != 'changepassword') die(js::locate(helper::createLink('my', 'changepassword')));
if($this->isOpenMethod($module, $method)) return true;
if(!$this->loadModel('user')->isLogon() and $this->server->php_auth_user) $this->user->identifyByPhpAuth();
if(!$this->loadModel('user')->isLogon() and $this->cookie->za) $this->user->identifyByCookie();
if(isset($this->app->user))
{
if(!commonModel::hasPriv($module, $method)) $this->deny($module, $method);
}
else
{
$referer = helper::safe64Encode($this->app->getURI(true));
die(js::locate(helper::createLink('user', 'login', "referer=$referer")));
}
}
②它调用了hasPirv()函数判断是否有权限
~~~
/ 1135行
public static function hasPriv($module, $method)
{
global $app, $lang;
/ Check is the super admin or not. /
if($app->user->admin) return true;
/ If not super admin, check the rights. /
$rights = $app->user->rights['rights'];
$acls = $app->user->rights['acls'];
$module = strtolower($module);
$method = strtolower($method);
if(isset($rights[$module][$method]))
{
if(empty($acls['views'])) return true;
$menu = isset($lang->menugroup->$module) ? $lang->menugroup->$module : $module;
$menu = strtolower($menu);
if($menu != 'qa' and !isset($lang->$menu->menu)) return true;
if($menu == 'my' or $menu == 'index' or $module == 'tree') return true;
if($module == 'company' and $method == 'dynamic') return true;
if($module == 'action' and $method == 'editcomment') return true;
if(!isset($acls['views'][$menu])) return false;
return true;