Version: <= 1.0.8
Branch: master
Problem: There is an authentication bypass vulnerability in radar. An attacker can exploit this vulnerability to access sensitive API without any token.
Source code Analysis
- The affected source code class is
com.pgmmers.radar.intercpt.AuthInterceptor, and the affected function is preHandle. In the filter code, use request.getRequestURI() to obtain the request path.
Next, it checks whether the uri starts with /services and includes /user/login. If both conditions are met, it will be directly allowed.
2. The problem lies in using request.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it.
Reproduce the vulnerablitity
Accessing http://ip:port/services/v1/datalist/1 directly will result in a failed response due to an empty token.
However, accessing http://ip:port/services/user/login/../../v1/datalist/1 will bypass the authentication check, and we can access any data info.
Version: <= 1.0.8
Branch: master
Problem: There is an authentication bypass vulnerability in radar. An attacker can exploit this vulnerability to access sensitive API without any token.
Source code Analysis
com.pgmmers.radar.intercpt.AuthInterceptor, and the affected function ispreHandle. In the filter code, userequest.getRequestURI()to obtain the request path.Next, it checks whether the
uristarts with/servicesand includes/user/login. If both conditions are met, it will be directly allowed.2. The problem lies in using
request.getRequestURI()to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use../to bypass it.Reproduce the vulnerablitity
Accessing
http://ip:port/services/v1/datalist/1directly will result in a failed response due to an empty token.However, accessing
http://ip:port/services/user/login/../../v1/datalist/1will bypass the authentication check, and we can access any data info.