这个漏洞目前影响至禅道最新版9.1.2(2017-04-19)

一、权限控制

①禅道的权限控制在module\common\model.php中的checkPriv()函数

// 1106行
public function checkPriv()
{
    $module = $this->app->getModuleName();
    $method = $this->app->getMethodName();
    if(isset($this->app->user->modifyPassword) and $this->app->user->modifyPassword and $module != 'my' and $method != 'changepassword') die(js::locate(helper::createLink('my', 'changepassword')));
    if($this->isOpenMethod($module, $method)) return true;
    if(!$this->loadModel('user')->isLogon() and $this->server->php_auth_user) $this->user->identifyByPhpAuth();
    if(!$this->loadModel('user')->isLogon() and $this->cookie->za) $this->user->identifyByCookie();

    if(isset($this->app->user))
    {
        if(!commonModel::hasPriv($module, $method)) $this->deny($module, $method);
    }
    else
    {
        $referer  = helper::safe64Encode($this->app->getURI(true));
        die(js::locate(helper::createLink('user', 'login', "referer=$referer")));
    }
}

②它调用了hasPirv()函数判断是否有权限
~~~
/ 1135行
public static function hasPriv($module, $method)
{
    global $app, $lang;

    / Check is the super admin or not. /
    if($app->user->admin) return true;

    / If not super admin, check the rights. /
    $rights  = $app->user->rights['rights'];
    $acls    = $app->user->rights['acls'];
    $module  = strtolower($module);
    $method  = strtolower($method);
    if(isset($rights[$module][$method]))
    {
        if(empty($acls['views'])) return true;
        $menu = isset($lang->menugroup->$module) ? $lang->menugroup->$module : $module;
        $menu = strtolower($menu);
        if($menu != 'qa' and !isset($lang->$menu->menu)) return true;
        if($menu == 'my' or $menu == 'index' or $module == 'tree') return true;
        if($module == 'company' and $method == 'dynamic') return true;
        if($module == 'action' and $method == 'editcomment') return true;
        if(!isset($acls['views'][$menu])) return false;
        return true;