Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2 secueiry issue]jeecg-boot <= 2.4.5 API interface has unauthorized access and leaks sensitive information such as email,phone and Enumerate usernames that exist in the system #2794

Closed
88ai opened this issue Jul 15, 2021 · 1 comment

Comments

@88ai
Copy link

88ai commented Jul 15, 2021

版本号:

<=2.4.5

问题描述:
1. leaks sensitive information api uri: /sys/user/querySysUser?username=admin

image
leaks sensitive information such as phone .etc

2. Enumerate usernames api uri:/sys/user/checkOnlyUser?username=admin

image
image
Through enumeration, it is found that there are 2 accounts admin and user1 in the system

截图&代码:

version:2.4.5
image
image
image
image

友情提示: 未按格式要求发帖,会直接删掉。

@zhangdaiscott
Copy link
Member

的确存在,因为这边有一些注册逻辑判断使用,如果有严格的安全考虑,不需要注册功能的话,可以ShiroConfig中注释掉,加强安全。
org.jeecg.config.shiro.ShiroConfig
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants