There is an Incorrect Access Control vulnerability in jeewx-boot

[RacerZ-fighting]

版本号：1.3

• github branch: master

问题描述：

• There is an authentication bypass vulnerability in jeewx-boot. An attacker can exploit this vulnerability to access /system/back/xxx API without any token.

问题截图：

1. The affected source code class is com.jeecg.p3.system.interceptors.LoginInterceptor, and the affected function is preHandle. In the filter code, it uses getRequestPath()(which use request.getRequestURI()) to obtain the request path,

and then determine whether the requestPath contains /back/. If the condition is not met, it will execute return true to bypass the Interceptor. Otherwise, it will block the current request and redirect to the login page.

2. The problem lies in using request.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ; to bypass it. Taking one of the backend interfaces /system/back/jwSystemUser/list.do as an example, using /system/back;/jwSystemUser/list.do can make it bypass the LoginInterceptor and access the user info without any token.

Reproduce the vulnerablitity

Accessing http://127.0.0.1/system/back/jwSystemUser/list.do directly will result in redirecting to an login page.

However, accessing http://127.0.0.1/system/back;/jwSystemUser/list.do will bypass the authentication check and access the user info.