There is an Incorrect Access Control vulnerability in SpringBootBlog #23
Description
Version: latest
Branch: master
Problem:
There is an authentication bypass vulnerability in SpringBootBlog. An attacker can exploit this vulnerability to access /admin/ API without any token.
Source code
- The affected source code class is
com.wip.interceptor.BaseInterceptor, and the affected function ispreHandle. In the filter code, userequest.getRequestURI()to obtain the request path,
and then determine whether the uri startsWith /admin but not startWith /admin/login、/admin/css, etc. If the condition is not met, it will execute return true to bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.
- The problem lies in using
request.getRequestURI()to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use../to bypass it.
Taking one of the backend interfaces /admin/article/delete as an example, using /admin/css/../article/delete can make it bypass the BaseInterceptor, and at the same time, it allows the deletion of any articles.
Reproduce the vulnerablitity
Assume there are initially two articles in blog.
Accessing http://127.0.0.1:8888/admin/article/delete directly will result in redirecting to an admin login page.
However, accessing http://127.0.0.1:8888/admin/css/../article/delete will bypass the authentication check and delete specified article. We can further delete all articles by iterating through all cid parameter values.
