Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security issue] The jeecg-boot version is less than or equal to 2.4.5 httptrace interface has unauthorized access and leaks sensitive information such as user cookies #2793

Closed
myzing00 opened this issue Jul 15, 2021 · 1 comment

Comments

@myzing00
Copy link

版本号:

2.4.5
image

问题描述:

Unauthorized access to the httptrace interface reveals sensitive information such as user cookies

截图&代码:

api interface
http://Ip:8080/jeecg-boot/actuator/httptrace/
This interface does not require any login permissions
local demo
image
Many jeecg-boot frameworks have such vulnerabilities, such as
image

The leaked information includes client IP, browser useragent, cookie, token, etc.

友情提示: 未按格式要求发帖,会直接删掉。

@zhangdaiscott
Copy link
Member

正式发布的时候,注释掉下面的代码 org.jeecg.config.shiro.ShiroConfig

   //性能监控  TODO 存在安全漏洞泄露TOEKN(durid连接池也有)
        filterChainDefinitionMap.put("/actuator/**", "anon");

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants