trojan多用户管理部署程序, 支持web页面管理
GNU General Public License v3.0
5.45k
stars
1.52k
forks
source link
default jwt secret key can forge any user identity, such as gaining administrator privileges (默认 jwt 密钥可以伪造任意用户身份,例如获取管理员权限) #703
Closed
Rvn0xsy closed 1 year ago
https://github.com/Jrohy/trojan/blob/c5fafe24b3d54cb400a98b0efa60fec8682034c0/web/auth.go#L24-L39
代码中硬编码了secret key,可以伪造任意用户身份,包括管理员。
The key is hardcoded in the code, using jwt.io can forge any user identity, including administrators