You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an authentication bypass vulnerability in MallChat. An attacker can exploit this vulnerability to access /capi/ API without any token.
Sourcecode
The affected source code class is com.abin.mallchat.common.common.intecepter.TokenInterceptor, and the affected function is preHandle. In the filter code, use request.getRequestURI() to obtain the request path,
and then determine whether the third part of path equals public.
If the condition is met, it will execute return true to bypass the Interceptor. Otherwise, it will block the current request and issue an login error in the response.
The problem lies in using request.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it.
The prerequisite for the vulnerability exploitation is that the server.servlet.context-path configuration is non-empty. Here, it is exemplified with /demo.Taking one of the backend interfaces /capi/user/userInfo as an example(full path in case is /demo/capi/user/userInfo), using /xxx/yyy/public/../../../demo/capi/user/userInfo can make it satisfy isPublicURI(), and at the same time, it can request the userInfo interface to achieve login bypass.
Reproduce the vulnerablitity
Accessing http://localhost:8080/demo/capi/user/userInfo directly will result in an error response.
However, accessing http://localhost:8080/xxx/yyy/public/../../../demo/capi/user/userInfo will bypass the authentication check.
The text was updated successfully, but these errors were encountered:
Version: latest
Brach: main
Problem
There is an authentication bypass vulnerability in MallChat. An attacker can exploit this vulnerability to access
/capi/API without any token.Sourcecode
com.abin.mallchat.common.common.intecepter.TokenInterceptor, and the affected function ispreHandle. In the filter code, userequest.getRequestURI()to obtain the request path,and then determine whether the third part of path equals
public.If the condition is met, it will execute
return trueto bypass the Interceptor. Otherwise, it will block the current request and issue an login error in the response.request.getRequestURI()to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use../to bypass it.The prerequisite for the vulnerability exploitation is that the
server.servlet.context-pathconfiguration is non-empty. Here, it is exemplified with/demo.Taking one of the backend interfaces/capi/user/userInfoas an example(full path in case is/demo/capi/user/userInfo), using/xxx/yyy/public/../../../demo/capi/user/userInfocan make it satisfyisPublicURI(), and at the same time, it can request the userInfo interface to achieve login bypass.Reproduce the vulnerablitity
Accessing
http://localhost:8080/demo/capi/user/userInfodirectly will result in an error response.However, accessing
http://localhost:8080/xxx/yyy/public/../../../demo/capi/user/userInfowill bypass the authentication check.The text was updated successfully, but these errors were encountered: