Full Disclosure mailing list archives

-------------------------------------------------------------
Discuz! X5.0 (UC_KEY) Cross-Context Token Reuse Vulnerability
-------------------------------------------------------------


[-] Software Link:

https://www.discuz.vip


[-] Affected Versions:

Version X5.0, releases 20260320 through 20260501.


[-] Vulnerability Description:

The vulnerable code is located within the /config/config_ucenter.php
configuration file:

define('UC_KEY', $_config['security']['authkey']);

Discuz! X5.0, when installed in "standalone mode" (such as by the default
configuration), initializes the UC_KEY cryptographic constant by directly
copying the value of the global authkey setting.

As a result, the same cryptographic key is shared across multiple unrelated
application components, including UCenter integration and the database
backup/restore API exposed by the /api/db/dbbak.php script. This breaks
cryptographic isolation and allows tokens produced in one context to be
accepted as valid in another.

Specifically, the logging_ctl::logging_more() method — invoked during a
login request when the lssubmit parameter is present — encrypts
attacker-controlled input with the global authkey setting and reflects the
resulting ciphertext back to the client, effectively acting as an
encryption oracle. By injecting a crafted command payload through the
username parameter, an unauthenticated attacker can obtain a legitimately
signed token that bypasses the authorization check in /api/db/dbbak.php,
gaining unauthenticated access to the database export and import
functionality.

NOTE: by abusing the database export and import functionality, an attacker
may be able to trigger a Race Condition that ultimately allows
impersonating any user, bypassing authentication. This can be exploited in
combination with other vulnerabilities (such as KIS-2026-11) to achieve
unauthenticated Remote Code Execution.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/discuz_rce.zip


[-] Solution:

Upgrade to release 20260510 or later.


[-] Disclosure Timeline:

[27/04/2026] - Vendor contacted through private messages on gitee.com, no
response
[27/04/2026] - Vendor contacted via e-mail at admin () discuz vip and
security () tencent com, no response
[07/05/2026] - Opened issue IJLFUW on https://gitee.com/Discuz/DiscuzX
[09/05/2026] - Vulnerability details shared within issue IJLFUW
[09/05/2026] - Vulnerability fixed within commit
9962dad52c4c6999dabaf91ecd70377c680ff3c6
[10/05/2026] - New fixed version (Discuz_X5.0_20260510) was released
[09/06/2026] - CVE identifier requested
[09/06/2026] - CVE identifier assigned
[13/06/2026] - Public disclosure at hackmeeting 0x1D
[15/06/2026] - Publication of this advisory


[-] CVE Reference:

CVE-2026-49952 has been assigned to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-09


[-] Technical write-up:

https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• [KIS-2026-09] Discuz! X5.0 (UC_KEY) Cross-Context Token Reuse Vulnerability Egidio Romano (Jun 15)