There is an Incorrect Access Control vulnerability in MallChat

[RacerZ-fighting]

Version: latest

Brach: main

Problem

There is an authentication bypass vulnerability in MallChat. An attacker can exploit this vulnerability to access /capi/ API without any token.

Sourcecode

1. The affected source code class is com.abin.mallchat.common.common.intecepter.TokenInterceptor, and the affected function is preHandle. In the filter code, use request.getRequestURI() to obtain the request path,

and then determine whether the third part of path equals public.

If the condition is met, it will execute return true to bypass the Interceptor. Otherwise, it will block the current request and issue an login error in the response.

2. The problem lies in using request.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it.

The prerequisite for the vulnerability exploitation is that the server.servlet.context-path configuration is non-empty. Here, it is exemplified with /demo.Taking one of the backend interfaces /capi/user/userInfo as an example(full path in case is /demo/capi/user/userInfo), using /xxx/yyy/public/../../../demo/capi/user/userInfo can make it satisfy isPublicURI(), and at the same time, it can request the userInfo interface to achieve login bypass.

Reproduce the vulnerablitity

Accessing http://localhost:8080/demo/capi/user/userInfo directly will result in an error response.

However, accessing http://localhost:8080/xxx/yyy/public/../../../demo/capi/user/userInfo will bypass the authentication check.