You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an authentication bypass vulnerability in blog. An attacker can exploit this vulnerability to access /admin/ API without any token.
Source code
The affected source code class is com.my.blog.website.interceptor.BaseInterceptor, and the affected function is preHandle. In the filter code, use request.getRequestURI() to obtain the request path,
and then determine whether the uri startsWith /admin but not startWith /admin/login. If the condition is not met, it will execute return true to bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.
The problem lies in using request.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it.
Taking one of the backend interfaces /admin/comments/delete as an example, using /admin/login/../comments/delete can make it bypass the BaseInterceptor, and at the same time, it allows the deletion of any comments.
Reproduce the vulnerablitity
Accessing http://127.0.0.1:8081/admin/comments/delete directly will result in redirecting to an admin login page.
However, accessing http://127.0.0.1:8081/admin/login/../comments/delete will bypass the authentication check and delete specified comment. We can further delete all comments by iterating through all coid parameter values.
The text was updated successfully, but these errors were encountered:
Version: latest
Brach: master
Problem:
There is an authentication bypass vulnerability in blog. An attacker can exploit this vulnerability to access
/admin/API without any token.Source code
com.my.blog.website.interceptor.BaseInterceptor, and the affected function ispreHandle. In the filter code, userequest.getRequestURI()to obtain the request path,and then determine whether the
uristartsWith/adminbut not startWith/admin/login. If the condition is not met, it will executereturn trueto bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.request.getRequestURI()to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use../to bypass it.Taking one of the backend interfaces
/admin/comments/deleteas an example, using/admin/login/../comments/deletecan make it bypass theBaseInterceptor, and at the same time, it allows the deletion of any comments.Reproduce the vulnerablitity
Accessing
http://127.0.0.1:8081/admin/comments/deletedirectly will result in redirecting to an admin login page.However, accessing
http://127.0.0.1:8081/admin/login/../comments/deletewill bypass the authentication check and delete specified comment. We can further delete all comments by iterating through allcoidparameter values.The text was updated successfully, but these errors were encountered: