Seeyon Zhiyuan OA Web Application System Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Seeyon Zhiyuan OA Web Application System versions through 7.0 SP1. The issue arises because the application improperly decodes and parses the 'enc' parameter in 'thirdpartyController.do'. This flaw allows attackers to manipulate session attributes without adequate authentication or authorization checks, potentially assigning a session to any user ID. Exploitation of this vulnerability has been observed in the wild.

Impact

Exploitation of this vulnerability allows for unauthorized access by bypassing authentication mechanisms, enabling attackers to gain access to user sessions and associated privileges.

Reproduction

To reproduce this vulnerability, send a POST request to '/seeyon/thirdpartyController.do' with the 'method' parameter set to 'access' and the 'enc' parameter containing a specially crafted value. The response should include a 'Set-Cookie' header with a 'JSESSIONID' value, indicating that a session has been successfully hijacked. After obtaining the session cookie, a GET request can be made to '/seeyon/main.do?method=headerjs' to verify access to the application as an authenticated user.