You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an authentication bypass vulnerability in jeewx-boot. An attacker can exploit this vulnerability to access /system/back/xxx API without any token.
问题截图:
The affected source code class is com.jeecg.p3.system.interceptors.LoginInterceptor, and the affected function is preHandle. In the filter code, it uses getRequestPath()(which use request.getRequestURI()) to obtain the request path,
and then determine whether the requestPath contains /back/. If the condition is not met, it will execute return true to bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.
The problem lies in using request.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ; to bypass it. Taking one of the backend interfaces /system/back/jwSystemUser/list.do as an example, using /system/back;/jwSystemUser/list.do can make it bypass the LoginInterceptor and access the user info without any token.
Reproduce the vulnerablitity
Accessing http://127.0.0.1/system/back/jwSystemUser/list.do directly will result in redirecting to an login page.
However, accessing http://127.0.0.1/system/back;/jwSystemUser/list.do will bypass the authentication check and access the user info.
The text was updated successfully, but these errors were encountered:
版本号:1.3
问题描述:
问题截图:
com.jeecg.p3.system.interceptors.LoginInterceptor, and the affected function ispreHandle. In the filter code, it usesgetRequestPath()(which userequest.getRequestURI()) to obtain the request path,and then determine whether the
requestPathcontains/back/. If the condition is not met, it will executereturn trueto bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.;to bypass it. Taking one of the backend interfaces/system/back/jwSystemUser/list.doas an example, using/system/back;/jwSystemUser/list.docan make it bypass theLoginInterceptorand access the user info without any token.Reproduce the vulnerablitity
Accessing
http://127.0.0.1/system/back/jwSystemUser/list.dodirectly will result in redirecting to an login page.However, accessing
http://127.0.0.1/system/back;/jwSystemUser/list.dowill bypass the authentication check and access the user info.The text was updated successfully, but these errors were encountered: