Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bypass password access to encrypted articles #135

Closed
4 of 6 tasks
kingz40o opened this issue Apr 4, 2019 · 3 comments
Closed
4 of 6 tasks

Bypass password access to encrypted articles #135

kingz40o opened this issue Apr 4, 2019 · 3 comments
Labels
vulnerability Vulnerability

Comments

@kingz40o
Copy link

kingz40o commented Apr 4, 2019

我确定我已经查看了 (标注[ ][x])


我要申请 (标注[ ][x])

  • BUG 反馈
  • 添加新的特性或者功能
  • 请求技术支持

The password accessing the article is flawed. The code only verifies the "halo-post-password-" + post.getPostId() in the cookie, but it does not verify that the password is correct.

//判断文章是否有加密
        if (StrUtil.isNotEmpty(post.getPostPassword())) {
            Cookie cookie = ServletUtil.getCookie(request, "halo-post-password-" + post.getPostId());
            if (null == cookie) {
                post.setPostSummary("该文章为加密文章");
                post.setPostContent("<form id=\"postPasswordForm\" method=\"post\" action=\"/archives/verifyPostPassword\"><p>该文章为加密文章,输入正确的密码即可访问。</p><input type=\"hidden\" id=\"postId\" name=\"postId\" value=\"" + post.getPostId() + "\"> <input type=\"password\" id=\"postPassword\" name=\"postPassword\"> <input type=\"submit\" id=\"passwordSubmit\" value=\"提交\"></form>");
            }
        }
        model.addAttribute("post", post);
        return this.render("post");
    }

Send the postId to the server by entering the wrong password, and then add the cookie "halo-post-password-4027 (current article id) = 96e79218965eb72c92a549dd5a330112 (any md5 encrypted string)" to access the encrypted article content.

HTTP/1.1 302 Found
Server: nginx/1.15.8
Date: Thu, 04 Apr 2019 15:02:04 GMT
Content-Length: 0
Connection: close
Location: https://demo.halo.run/archives/1554388726735
Content-Language: zh-CN
Set-Cookie: halo-post-password-4032=96e79218965eb72c92a549dd5a330112
Strict-Transport-Security: max-age=31536000

image
The vulnerability discoverer by Chaitin Tech.

@ruibaby
Copy link
Member

ruibaby commented Apr 4, 2019

Ok, we will start to solve these problems, thank you very much for your feedback.

@JohnNiang JohnNiang added the vulnerability Vulnerability label Apr 4, 2019
@ruibaby
Copy link
Member

ruibaby commented May 28, 2019

准备发布 v1,所以关闭该 issue。

@ruibaby ruibaby closed this as completed May 28, 2019
@kingz40o
Copy link
Author

JohnNiang pushed a commit to JohnNiang/halo that referenced this issue Mar 2, 2023
…#135)

Bumps [@vue/cli-service](https://github.com/vuejs/vue-cli/tree/HEAD/packages/@vue/cli-service) from 3.12.1 to 4.3.1.
- [Release notes](https://github.com/vuejs/vue-cli/releases)
- [Changelog](https://github.com/vuejs/vue-cli/blob/dev/CHANGELOG.md)
- [Commits](https://github.com/vuejs/vue-cli/commits/v4.3.1/packages/@vue/cli-service)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerability Vulnerability
Projects
None yet
Development

No branches or pull requests

3 participants