Z-BlogPHP Authorization Vulnerability Allows Commenters to Approve Their Own Comments

An authorization vulnerability has been identified in Z-BlogPHP version 1.7.4.3430, specifically within the comment approval handling function. This weakness allows low-privilege users with the 'commenter' role to approve their own pending comments without administrator oversight. The issue arises because the application improperly authorizes comment moderation actions, enabling users to bypass established moderation workflows. The vulnerability can be exploited remotely, and public proof-of-concept exploits are available.

Impact

Exploitation of this vulnerability allows low-privilege users to bypass comment moderation processes, enabling them to publish comments without required administrative approval. This could lead to the display of spam, abusive, or policy-violating content.

Reproduction

To reproduce this vulnerability, log into a Z-BlogPHP backend as a low-privilege commenter. After submitting a comment on an article, which will initially be pending and not visible publicly, access the comment moderation endpoint. This can be done by sending a request to 'zb_system/cmd.php?act=CommentChk' with the comment ID and a csrf token. The comment will then be approved and become visible on the frontend.

Remediation

To address this vulnerability, remove the authorization checks in the 'CheckComment()' and 'BatchComment()' functions that allow comment authors to modify their comments' moderation status. Restrict comment approval to users with 'CommentAll' permission or other designated moderation roles. Additionally, adjust the 'Admin_CommentMng()' function to prevent low-privilege commenters from accessing moderation tools for their own comments.