------------------------------------------------------------- Discuz! X5.0 (UC_KEY) Cross-Context Token Reuse Vulnerability ------------------------------------------------------------- [-] Software Link: https://www.discuz.vip [-] Affected Versions: Version X5.0, releases 20260320 through 20260501. [-] Vulnerability Description: The vulnerable code is located within the /config/config_ucenter.php configuration file: define('UC_KEY', $_config['security']['authkey']); Discuz! X5.0, when installed in "standalone mode" (such as by the default configuration), initializes the UC_KEY cryptographic constant by directly copying the value of the global authkey setting. As a result, the same cryptographic key is shared across multiple unrelated application components, including UCenter integration and the database backup/restore API exposed by the /api/db/dbbak.php script. This breaks cryptographic isolation and allows tokens produced in one context to be accepted as valid in another. Specifically, the logging_ctl::logging_more() method — invoked during a login request when the lssubmit parameter is present — encrypts attacker-controlled input with the global authkey setting and reflects the resulting ciphertext back to the client, effectively acting as an encryption oracle. By injecting a crafted command payload through the username parameter, an unauthenticated attacker can obtain a legitimately signed token that bypasses the authorization check in /api/db/dbbak.php, gaining unauthenticated access to the database export and import functionality. NOTE: by abusing the database export and import functionality, an attacker may be able to trigger a Race Condition that ultimately allows impersonating any user, bypassing authentication. This can be exploited in combination with other vulnerabilities (such as KIS-2026-11) to achieve unauthenticated Remote Code Execution. [-] Proof of Concept: https://karmainsecurity.com/pocs/discuz_rce.zip [-] Solution: Upgrade to release 20260510 or later. [-] Disclosure Timeline: [27/04/2026] - Vendor contacted through private messages on gitee.com, no response [27/04/2026] - Vendor contacted via e-mail at admin () discuz vip and security () tencent com, no response [07/05/2026] - Opened issue IJLFUW on https://gitee.com/Discuz/DiscuzX [09/05/2026] - Vulnerability details shared within issue IJLFUW [09/05/2026] - Vulnerability fixed within commit 9962dad52c4c6999dabaf91ecd70377c680ff3c6 [10/05/2026] - New fixed version (Discuz_X5.0_20260510) was released [09/06/2026] - CVE identifier requested [09/06/2026] - CVE identifier assigned [13/06/2026] - Public disclosure at hackmeeting 0x1D [15/06/2026] - Publication of this advisory [-] CVE Reference: CVE-2026-49952 has been assigned to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: https://karmainsecurity.com/KIS-2026-09 [-] Technical write-up: https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。