There is an Incorrect Access Control vulnerability in jshERP V3.3 that lead to the leakage of sensitive information in the backend system #98
Comments
|
好的, 明白了
…------------------ 原始邮件 ------------------
发件人: ***@***.***>;
发送时间: 2023年11月14日(星期二) 晚上11:18
收件人: ***@***.***>;
抄送: ***@***.***>;
主题: [jishenghua/jshERP] There is an Incorrect Access Control vulnerability in jshERP V3.3 that lead to the leakage of sensitive information in the backend system (Issue #98)
1.受影响的源代码文件是src/main/java/com/jsh/erp/filter/LogCostFilter.java,而受影响的函数是doFilter.
在过滤器代码中,使用使用servletRequest.getRequestURI()来获取请求路径,然后确定该路径是否包含/doc.html,/用户/登录,/用户/寄存器.如果是这样,执行过滤器(请求、响应)来跳过这个过滤器。其他的,继续检查。
然后确定路径是否以allowUrls.如果是这样,执行过滤器(请求、响应)来跳过这个过滤器。
值见下面的截图allowUrls
2.问题在于使用使用servletRequest.getRequestURI()来获取请求路径。这个函数获得的路径不会解析特殊符号,而是会直接传递下去,所以你可以使用../来绕过它。将其中一个后端接口/用户名/getAllList为例,使用/user/登录/.././jshERP-boot/user/getAllList能使之满足请输入您的用户名和密码:,与此同时,它还可以请求获取全部列表接口,实现登录旁路。
3.规则如下:
用户名/用户名/jshERP-引导/用户/getAllListHTTP/1.1主机:用户代理:Mozilla/5.0(Windows NT操作系统WIN 64;x64;远程访问:109.0)壁虎/20100101Firefox浏览器/116.0接受:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/Webp ,*/*; q =0.8接受语言:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:连接:关闭升级-安全-请求:1
在访问/用户名/getAllList接口,它将返回“loginOut”。
在访问/user/登录/.././jshERP-boot/user/getAllList接口,可以绕过访问控制获取用户信息,其中还包括用户密码。
-
直接回复这封邮件,在GitHub上查看,或取消订阅.
您收到此消息是因为您订阅了此线程。消息ID:<吉盛华/ js herp /问题/ ***@***.***和>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1.The affected source code file is
src/main/java/com/jsh/erp/filter/LogCostFilter.java,and the affected function isdoFilter.In the filter code, use
servletRequest.getRequestURI()to obtain the request path, and then determine whether the path contains/doc.html,/user/login,/user/register. If so, executechain.doFilter(request, response)to skip this filter. Else, continue to check.Then determine whether the path startswith
allowUrls. If so, executechain.doFilter(request, response)to skip this filter.See the screenshot below for the value of
allowUrls2.The problem lies in using
servletRequest.getRequestURI()to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use../to bypass it. Taking one of the backend interfaces/jshERP-boot/user/getAllListas an example, using/user/login/../../jshERP-boot/user/getAllListcan make it satisfyrequestUrl.contains("/user/login" ), and at the same time, it can request thegetAllListinterface to achieve login bypass.3.The Poc is as follows:
When accessing the
/jshERP-boot/user/getAllListinterface directly, it will return "loginOut".When accessing the
/user/login/../../jshERP-boot/user/getAllListinterface, the user information can be obtained by bypassing the access control,whice also includes user passwords.The text was updated successfully, but these errors were encountered: