| タイトル | WinterChenS my-site up to 1f7525f15934d9d6a278de967f6ec9f1757738d8 Incorrect Access Control |
|---|
| 説明 | [Vendor of Product] https://github.com/WinterChenS/my-site/
Version: up to 1f7525f15934d9d6a278de967f6ec9f1757738d8
Branch: master
Problem:
There is an authentication bypass vulnerability in my-site. An attacker can exploit this vulnerability to access /admin/ API without any token.
The affected source code class is cn.luischen.interceptor.BaseInterceptor, and the affected function is preHandle. In the filter code, use normalizeRequestUri to obtain the request path, and then determine whether the uri meet isAdminPath but not startWith /admin/login、/admin/css, etc. If the condition is not met, it will execute return true to bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.
Although some normalization is applied to the original URL path—such as URL decoding, lowercasing, and slash collapsing, the handling of semicolons here simply truncates the path, which is problematic. An attacker can exploit this by using a path like /admin/login;/../<sensitive-path> to bypass access restrictions.
Taking one of the backend interfaces /admin/article/publish as an example, using /admin/login;/../article/publish can make it bypass the BaseInterceptor, and at the same time, it allows the publish any article.
Accessing http://127.0.0.1:8089/admin/article/publish directly will result in redirecting to an admin login page.
However, accessing http://127.0.0.1:8089/admin/login;/../article/publish will bypass the authentication check and public arbitrary article. |
|---|
| ソース | ⚠️ https://github.com/WinterChenS/my-site/issues/97 |
|---|
| ユーザー | fushuling (UID 45488) |
|---|
| 送信 | 2025年07月25日 15:15 (9 月 ago) |
|---|
| モデレーション | 2025年08月10日 13:20 (16 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 319372 [WinterChenS my-site 迄 1f7525f15934d9d6a278de967f6ec9f1757738d8 Backend Interface /admin/ preHandle uri 弱い認証] |
|---|
| ポイント | 20 |
|---|