JamesZBL db-hospital-drug Improper Authorization Vulnerability in ShiroConfig.java

A critical vulnerability allowing improper authorization has been identified in JamesZBL's db-hospital-drug project, version 1.0. The issue arises from the ShiroConfig.java file, where vertical privilege escalation is not properly managed. This vulnerability can be exploited remotely, allowing unauthorized access to certain functionalities.

Impact

Exploitation of this vulnerability could lead to unauthorized access and actions being performed by users with lower privileges.

Reproduction

To reproduce this vulnerability, send a GET request to the '/sys/user/list' endpoint. Include the 'JSESSIONID' cookie to maintain the session. The request should be made with the 'X-Requested-With' header set to 'XMLHttpRequest', indicating that it is an AJAX request. This can be done using a web browser's developer tools or through a script that automates the process.