JeecgBoot Access Control Vulnerability in SysUserOnlineController Allowing Unauthorized Session Management

A critical access control vulnerability has been identified in JeecgBoot versions prior to 3.9.0, specifically within the SysUserOnlineController. This vulnerability allows any authenticated user to manipulate user sessions by exploiting two endpoints: 'GET /sys/online/list' and 'POST /sys/online/forceLogout'. The first endpoint, which lacks proper authorization checks, can be used to retrieve sensitive information such as online users' tokens, usernames, and real names. The second endpoint can be used to forcibly log out any user, including administrators, leading to a denial-of-service condition. The vulnerability arises from missing permission annotations and inadequate verification of user privileges, allowing for unauthorized actions and exposure of sensitive data.

Impact

Exploitation of this vulnerability allows for unauthorized session termination, including that of administrators, and could be used to disrupt normal system operations, causing all users to be logged out and potentially leading to data inconsistencies.

Reproduction

To reproduce this vulnerability, log in as a normal user and use the 'GET /sys/online/list' endpoint to obtain tokens of all online users, including administrators. Then, use the 'POST /sys/online/forceLogout' endpoint with one of the retrieved tokens to forcibly log out the corresponding user. This process can be automated with a script that continuously calls the 'forceLogout' endpoint with the tokens of all online users, effectively logging them out and causing a denial-of-service condition.

Remediation

It is recommended to add proper permission checks to both the 'GET /sys/online/list' and 'POST /sys/online/forceLogout' endpoints, ensuring that only authorized users can access these functions. A patch addressing this vulnerability is available.