Anji-Plus AJ-Report Authentication Bypass Vulnerability Allowing Arbitrary Code Execution

An authentication bypass vulnerability has been identified in Anji-Plus AJ-Report versions through 1.4.2. This vulnerability allows unauthenticated attackers to execute arbitrary code by sending a crafted URL. The issue arises from the 'TokenFilter' class, which improperly validates authentication for certain URLs, leaving exploitable bypass points. The vulnerability can be exploited by manipulating the URL to bypass authentication and then using insufficiently filtered input to execute arbitrary code.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary code on the server.

Reproduction

To reproduce this vulnerability, first ensure that the 'server.servlet.context-path' configuration is set to a non-empty value, such as '/demo'. Then, send a POST request to the '/login/../demo/dataSetParam/verification/' endpoint. Include a payload that takes advantage of the authentication bypass and the insufficient input validation in the 'ScriptEngine' execution engine. The payload can be crafted to execute arbitrary code, such as opening the calculator application on the server.