tianti icon indicating copy to clipboard operation
tianti copied to clipboard

Published 20 hours ago verified publisher icon xujeff

There is a Incorrect accece control flaws in your project

Open zsdlove opened this issue 6 years ago • 0 comments 

 Hello,guy,there is a Incorrect access control flaws in your project.

The following is the proof of this flaws. There are two roles in the project,permission role and super administrator role.The permission role only has the permission to change the permission of the users,and the super administrator role has all of the permissions,which contains permission management,content management,skin management. when we use super administrator role to login in,we can see: image As the picture shows,the super administrator has three permissions. When we use permission role to login in ,we can see: image as the picture show,the permission role has only one permission.

How is the flaws happen? We know if the bakend controller dosen't check the permission of the role,it will cause Incorrect access control flaws. see the code of the cmscontroller the path of the cmscontroller is: tianti-module-admin\src\main\java\com\jeff\tianti\controller\cmscontroller.java image In this place,we can see it use the spring framework,the request of "/column/list" map to function called columnList.It dosen't do permission check,which will cause the Incorect acess contol flaws. How to proof it? We request the url "http://127.0.0.1:8080/tianti-module-admin/cms/column/list" directly. image We can see,the permission role can access the column list page,and it can edit the column too. image

And in the skin management,there exists Incorect access control,too.
We can use permission role to access the url "http://127.0.0.1:8080/tianti-module-admin/user/skin/list"

image we can location the flaws code in tianti-module-admin\src\main\java\com\jeff\tianti\controller\usercontroller.java image it map the request "/skin/list" to the function skinList,and dosen't do permission check.

Advice: image before excuting the main logic code of the function where the controller receiver the request from the frontend,please do permission check.

Hope ,you guy fix this flaws quickly ,if you have some questions,please contact me with the e-mail: [email protected]

zsdlove avatar Nov 07 '18 16:11 zsdlove