Skip to content

Bypass password access to encrypted articles #135

Closed
@kingz40o

Description

@kingz40o

我确定我已经查看了 (标注[ ][x])


我要申请 (标注[ ][x])

  • BUG 反馈
  • 添加新的特性或者功能
  • 请求技术支持

The password accessing the article is flawed. The code only verifies the "halo-post-password-" + post.getPostId() in the cookie, but it does not verify that the password is correct.

//判断文章是否有加密
        if (StrUtil.isNotEmpty(post.getPostPassword())) {
            Cookie cookie = ServletUtil.getCookie(request, "halo-post-password-" + post.getPostId());
            if (null == cookie) {
                post.setPostSummary("该文章为加密文章");
                post.setPostContent("<form id=\"postPasswordForm\" method=\"post\" action=\"/archives/verifyPostPassword\"><p>该文章为加密文章,输入正确的密码即可访问。</p><input type=\"hidden\" id=\"postId\" name=\"postId\" value=\"" + post.getPostId() + "\"> <input type=\"password\" id=\"postPassword\" name=\"postPassword\"> <input type=\"submit\" id=\"passwordSubmit\" value=\"提交\"></form>");
            }
        }
        model.addAttribute("post", post);
        return this.render("post");
    }

Send the postId to the server by entering the wrong password, and then add the cookie "halo-post-password-4027 (current article id) = 96e79218965eb72c92a549dd5a330112 (any md5 encrypted string)" to access the encrypted article content.

HTTP/1.1 302 Found
Server: nginx/1.15.8
Date: Thu, 04 Apr 2019 15:02:04 GMT
Content-Length: 0
Connection: close
Location: https://demo.halo.run/archives/1554388726735
Content-Language: zh-CN
Set-Cookie: halo-post-password-4032=96e79218965eb72c92a549dd5a330112
Strict-Transport-Security: max-age=31536000

image
The vulnerability discoverer by Chaitin Tech.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions