### Critical Vulnerability Information #### Vulnerability Type - **Incorrect Access Control / Unsafe Deserialization** #### Product Vendor - [https://gitee.com/wangzhixuan/spring-shiro-training](https://gitee.com/wangzhixuan/spring-shiro-training) #### Affected Product Codebase - All versions (up to 94812c1fd8f7fe796c931f4984ff1aa0671ab562) #### Affected Component - Frontend API endpoint: `/role/add` can be accessed via path traversal under `/static/**` #### Attack Type - Remote, no authentication required #### Vulnerability Details - The project uses outdated Apache Shiro configuration, allowing anonymous access to the `/static/**` path. - For sensitive endpoints (such as `/index`), normal access redirects users to the login page; only administrators can access them. - By exploiting path traversal (e.g., `/static/../index`), attackers can bypass authentication and access sensitive `/index` endpoints. - The current environment depends on log4j; by finding an endpoint that reliably triggers logging functionality, attackers can exploit Log4Shell to achieve Remote Code Execution (RCE), such as `/role/add`. #### POC Example ```http POST /spring_shiro_training_war/static/../../role/add HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 ```