You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an authentication bypass vulnerability in jobx. An attacker can exploit this vulnerability to access sensitive API without any token.
Sourcecode Analysis
The affected source code class is com.jobxhub.server.handler.SecurityHandlerInterceptor, and the affected function is preHandle. In the filter code, use request.getContextPath() + request.getServletPath() to obtain the request path,
and then determine whether the requestURI is static resources. If it is a static resource, it will be directly allowed.
2. The problem lies in using request.getContextPath() to obtain the context path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it.
The prerequisite for the vulnerability exploitation is that the contextPath configuration is non-empty. Here, it is exemplified with /demo.Taking one of the backend interfaces as an example(full path in case is /demo/user/get.do), using /login/../demo/user/get.do can make it satisfy static resource, and at the same time, it can request the /user/get.do interface to achieve login bypass.
Reproduce the vulnerablitity
Accessing http://ip:port/demo/user/get.do directly will result in an redirect.
However, accessing http://ip:port/login/../demo/user/get.do will bypass the authentication check, and we can access any user info.
The text was updated successfully, but these errors were encountered:
Version: <= v1.0.1-RELEASE
Brach: main
Problem:
There is an authentication bypass vulnerability in jobx. An attacker can exploit this vulnerability to access sensitive API without any token.
Sourcecode Analysis
com.jobxhub.server.handler.SecurityHandlerInterceptor, and the affected function ispreHandle. In the filter code, userequest.getContextPath() + request.getServletPath()to obtain the request path,and then determine whether the
requestURIis static resources. If it is a static resource, it will be directly allowed.2. The problem lies in using
request.getContextPath()to obtain the context path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use../to bypass it.The prerequisite for the vulnerability exploitation is that the
contextPathconfiguration is non-empty. Here, it is exemplified with/demo.Taking one of the backend interfaces as an example(full path in case is/demo/user/get.do), using/login/../demo/user/get.docan make it satisfy static resource, and at the same time, it can request the/user/get.dointerface to achieve login bypass.Reproduce the vulnerablitity
Accessing
http://ip:port/demo/user/get.dodirectly will result in an redirect.However, accessing
http://ip:port/login/../demo/user/get.dowill bypass the authentication check, and we can access any user info.The text was updated successfully, but these errors were encountered: