Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

a incorrent access control security problem #3

Closed
juicyideas opened this issue Mar 16, 2021 · 2 comments
Closed

a incorrent access control security problem #3

juicyideas opened this issue Mar 16, 2021 · 2 comments

Comments

@juicyideas
Copy link

Hello, I have found a security problems in your project.
you use spring security to identify users. However, when configuring the access path, because spring security's antMatcher is not used correctly, the attack can use the ambiguity of the server and spring in processing the path. Rely on the identity of ordinary users to call functions that should belong to the administrator.

The path of the vulnerable code: com/greate/community/config/SecurityConfig.java

attack method:login as a normal user without delete function. post /discuss/delete with discuss id and the serve will response "you have no privilege to request"". Then post /discuss/delete/ (append a slash) , this request will be successful and the discuss with the id will be deleted.

here is the proof:
post /discuss/delete
图片
post /discuss/delete/
图片

how to repair:

  1. add extra path /delete/ path to spring security
  2. deal with path together before spring security.
@juicyideas
Copy link
Author

the affected code:

protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers(
                    "/user/setting",
                        "/user/upload",
                        "/discuss/add",
                        "/comment/add/**",
                        "/letter/**",
                        "/notice/**",
                        "/like",
                        "/follow",
                        "/unfollow"
                )
                .hasAnyAuthority(
                        AUTHORITY_USER,
                        AUTHORITY_ADMIN,
                        AUTHORITY_MODERATOR
                )

                .antMatchers(
                    "/discuss/top",
                        "/discuss/wonderful"
                )
                .hasAnyAuthority(
                        AUTHORITY_MODERATOR
                )

                .antMatchers(
                        "/discuss/delete",
                        "/data/**"
                )
                .hasAnyAuthority(
                        AUTHORITY_ADMIN
                )

                .anyRequest().permitAll()

                .and().csrf().disable();

@Veal98
Copy link
Owner

Veal98 commented Mar 19, 2021

感谢

@Veal98 Veal98 closed this as completed Mar 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Veal98 @juicyideas