You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an authentication bypass vulnerability in my-site. An attacker can exploit this vulnerability to access /admin/ API without any token.
SourceCode
The affected source code class is cn.luischen.interceptor.BaseInterceptor, and the affected function is preHandle. In the filter code, use request.getRequestURI() to obtain the request path,
and then determine whether the uri startsWith /admin but not startWith /admin/login、/admin/css, etc. If the condition is not met, it will execute return true to bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.
2. The problem lies in using request.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it.
From the patch 63214dd, we can observe two new checkpoints:
uri.replaceAll("/+", "/");, but it can only handle repeated //, but cannot handle ../
isSensitiveOperation function, but it can be passed throuth URL encoding
Taking one of the backend interfaces /admin/comments/delete as an example, using /admin/css/../comments/delete can make it bypass the BaseInterceptor, and at the same time, it allows the deletion of any comments.
Reproduce the vulnerablitity
Assume there are initially two comments in blog.
Accessing http://127.0.0.1:8089/admin/comments/delete directly will result in redirecting to an admin login page.
However, accessing http://127.0.0.1:8089/admin/css/../comments/%64elete will bypass the authentication check and delete specified comment. We can further delete all comments by iterating through all coid parameter values.
The text was updated successfully, but these errors were encountered:
Version: 1.0.2.RELEASE (63214dd)
Branch: master
Problem:
There is an authentication bypass vulnerability in my-site. An attacker can exploit this vulnerability to access /admin/ API without any token.
SourceCode
cn.luischen.interceptor.BaseInterceptor, and the affected function ispreHandle. In the filter code, userequest.getRequestURI()to obtain the request path,and then determine whether the
uristartsWith/adminbut not startWith/admin/login、/admin/css, etc. If the condition is not met, it will executereturn trueto bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.2. The problem lies in using
request.getRequestURI()to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use../to bypass it.From the patch 63214dd, we can observe two new checkpoints:
uri.replaceAll("/+", "/");, but it can only handle repeated//, but cannot handle../isSensitiveOperationfunction, but it can be passed throuth URL encodingTaking one of the backend interfaces
/admin/comments/deleteas an example, using/admin/css/../comments/deletecan make it bypass theBaseInterceptor, and at the same time, it allows the deletion of any comments.Reproduce the vulnerablitity
Assume there are initially two comments in blog.
Accessing
http://127.0.0.1:8089/admin/comments/deletedirectly will result in redirecting to an admin login page.However, accessing
http://127.0.0.1:8089/admin/css/../comments/%64eletewill bypass the authentication check and delete specified comment. We can further delete all comments by iterating through allcoidparameter values.The text was updated successfully, but these errors were encountered: