201206030 Novel-Plus Missing Authentication Vulnerability in Code Generation Function

A critical vulnerability has been identified in the 20120630 Novel-Plus project, specifically in versions prior to commit 0e156c04b4b7ce0563bef6c97af4476fcda8f160. The issue resides in the GeneratorController, within the genCode function, where missing authentication allows remote attackers to exploit the endpoint for unauthorized code generation. This vulnerability has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for unauthorized remote code generation on the server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/genCode' endpoint without any authentication. The request must include a 'tableName' parameter, which can be set to any arbitrary value. This will trigger the backend code generation process for the specified table.

Remediation

To address this vulnerability, all endpoints should be secured with proper authentication and authorization controls, ensuring that only users with administrative privileges can access high-risk functions such as code generation.