Skip to content

There is an Incorrect Access Control vulnerability in jobx #48

New issue
New issue
Open
Open
There is an Incorrect Access Control vulnerability in jobx#48
@RacerZ-fighting

Description

@RacerZ-fighting
RacerZ-fighting
opened on Dec 23, 2024

Version: <= v1.0.1-RELEASE

Brach: main

Problem:

There is an authentication bypass vulnerability in jobx. An attacker can exploit this vulnerability to access sensitive API without any token.

Sourcecode Analysis

  1. The affected source code class is com.jobxhub.server.handler.SecurityHandlerInterceptor, and the affected function is preHandle. In the filter code, use request.getContextPath() + request.getServletPath() to obtain the request path,
image

and then determine whether the requestURI is static resources. If it is a static resource, it will be directly allowed.
2. The problem lies in using request.getContextPath() to obtain the context path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it.
The prerequisite for the vulnerability exploitation is that the contextPath configuration is non-empty. Here, it is exemplified with /demo.Taking one of the backend interfaces as an example(full path in case is /demo/user/get.do), using /login/../demo/user/get.do can make it satisfy static resource, and at the same time, it can request the /user/get.do interface to achieve login bypass.

Reproduce the vulnerablitity

Accessing http://ip:port/demo/user/get.do directly will result in an redirect.
image

However, accessing http://ip:port/login/../demo/user/get.do will bypass the authentication check, and we can access any user info.
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions