WinterChenS My-Site Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in WinterChenS my-site, specifically in the latest version through commit 6c79286. This vulnerability allows attackers to access the /admin/ API without a token. The issue arises in the BaseInterceptor class, where the preHandle function fails to properly validate request paths. Although some normalization is applied to the URL, it does not account for certain cases, allowing unauthorized access to admin functionalities, such as publishing articles.

Impact

Exploitation of this vulnerability allows for unauthorized access to admin APIs, bypassing authentication requirements. This could lead to unauthorized actions being performed on behalf of an admin, such as managing articles or other admin-level tasks.

Reproduction

To reproduce this vulnerability, send a request to the /admin/article/publish endpoint without an authentication token. The server will respond with a redirect to the admin login page, indicating that the authentication check is in place. However, if the request is modified to include a path traversal sequence that bypasses the interceptor's checks, such as '/admin/login/..;/article/publish', the authentication requirement is ignored, and access to the endpoint is granted. This demonstrates how the vulnerability can be exploited to gain unauthorized access to admin functionalities.

Remediation

Users are advised to update to the latest version of WinterChenS my-site, where this vulnerability has been fixed.