szluyu99 gin-vue-blog PATCH Request Handler Improper Authorization Vulnerability

A critical vulnerability allowing improper authorization has been identified in szluyu99 gin-vue-blog versions prior to 61dd11ccd296e8642a318ada3ef7b3f7776d2410. The issue resides in the PATCH request handler within the file gin-blog-server/internal/manager.go. This vulnerability allows unauthorized attackers to remotely manipulate core website configurations, such as the site name, record number, and comment moderation settings. The flaw arises because the UpdateConfig API is incorrectly assigned to an unauthenticated route, enabling direct requests that can alter vital configuration data. Such actions could disrupt services, cause data corruption, or bypass security measures.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of critical website configurations, potentially causing service disruptions, data integrity issues, or failures in security controls.

Reproduction

To reproduce this vulnerability, send a PATCH request to the /api/config endpoint without any authentication. Include a JSON payload with the desired configuration changes, such as the website name, record number, and comment moderation preferences. The server will process the request and apply the changes, demonstrating the lack of proper authorization checks.