New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a Incorrect accece control flaws in your project #29

Open
zsdlove opened this Issue Nov 7, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@zsdlove

zsdlove commented Nov 7, 2018

 Hello,guy,there is a Incorrect access control flaws in your project.

The following is the proof of this flaws.
There are two roles in the project,permission role and super administrator role.The permission role only has the permission to change the permission of the users,and the super administrator role has all of the permissions,which contains permission management,content management,skin management.
when we use super administrator role to login in,we can see:
image
As the picture shows,the super administrator has three permissions.
When we use permission role to login in ,we can see:
image
as the picture show,the permission role has only one permission.

How is the flaws happen?
We know if the bakend controller dosen't check the permission of the role,it will cause Incorrect access control flaws.
see the code of the cmscontroller
the path of the cmscontroller is:
tianti-module-admin\src\main\java\com\jeff\tianti\controller\cmscontroller.java
image
In this place,we can see it use the spring framework,the request of "/column/list" map to function called columnList.It dosen't do permission check,which will cause the Incorect acess contol flaws.
How to proof it?
We request the url "http://127.0.0.1:8080/tianti-module-admin/cms/column/list" directly.
image
We can see,the permission role can access the column list page,and it can edit the column too.
image

And in the skin management,there exists Incorect access control,too.
We can use permission role to access the url "http://127.0.0.1:8080/tianti-module-admin/user/skin/list"

image
we can location the flaws code in
tianti-module-admin\src\main\java\com\jeff\tianti\controller\usercontroller.java
image
it map the request "/skin/list" to the function skinList,and dosen't do permission check.

Advice:
image
before excuting the main logic code of the function where the controller receiver the request from the frontend,please do permission check.

Hope ,you guy fix this flaws quickly ,if you have some questions,please contact me with the e-mail:
747289639@qq.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment