You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem: There is an authentication bypass vulnerability in radar. An attacker can exploit this vulnerability to access sensitive API without any token.
Source code Analysis
The affected source code class is com.pgmmers.radar.intercpt.AuthInterceptor, and the affected function is preHandle. In the filter code, use request.getRequestURI() to obtain the request path.
Next, it checks whether the uri starts with /services and includes /user/login. If both conditions are met, it will be directly allowed.
2. The problem lies in using request.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it.
Reproduce the vulnerablitity
Accessing http://ip:port/services/v1/datalist/1 directly will result in a failed response due to an empty token.
However, accessing http://ip:port/services/user/login/../../v1/datalist/1 will bypass the authentication check, and we can access any data info.
The text was updated successfully, but these errors were encountered:
Version: <= 1.0.8
Branch: master
Problem: There is an authentication bypass vulnerability in radar. An attacker can exploit this vulnerability to access sensitive API without any token.
Source code Analysis
com.pgmmers.radar.intercpt.AuthInterceptor, and the affected function ispreHandle. In the filter code, userequest.getRequestURI()to obtain the request path.Next, it checks whether the
uristarts with/servicesand includes/user/login. If both conditions are met, it will be directly allowed.2. The problem lies in using
request.getRequestURI()to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use../to bypass it.Reproduce the vulnerablitity
Accessing
http://ip:port/services/v1/datalist/1directly will result in a failed response due to an empty token.However, accessing
http://ip:port/services/user/login/../../v1/datalist/1will bypass the authentication check, and we can access any data info.The text was updated successfully, but these errors were encountered: