### Critical Vulnerability Information #### Vulnerability Description There is an authentication bypass vulnerability that allows attackers to access the `/admin/` API without using any token. #### Vulnerability Type Incorrect Access Control #### Product Vendor https://github.com/zhishehg17/blog/ #### Affected Product Codebase All versions (up to e0497553b76d44b9b176c121d3ef96bb6d678c04) #### Attack Type Unauthenticated #### Vulnerability Details 1. The affected source code class is `com.my.blog.website.interceptor.BaseInterceptor`, and the affected method is `prehandle`. In the filter code, `request.getRequestURI()` is used to retrieve the request path. 2. It then checks whether the `uri` starts with `/admin/` but does not start with `/admin/login`. If this condition is not met, it executes `return true` to bypass the interceptor. Otherwise, it blocks the current request and redirects to the login page. 3. The issue lies in using `request.getRequestURI()` to obtain the request path. The path retrieved by this function does not resolve special characters and is passed directly, allowing attackers to use `../` to bypass the check. 4. For example, take the backend API endpoint `/admin/comments/delete`. Using `/admin/login/../comments/delete` can bypass the `BaseInterceptor`, allowing deletion of any comment. #### Vulnerability Reproduction Accessing `http://127.0.0.1:8081/admin/comments/delete` will directly redirect to the admin login page. However, accessing `http://127.0.0.1:8081/admin/login/../comments/delete` will bypass authentication checks and delete the specified comment. We can further delete all comments by iterating through all `cid` parameter values. #### References https://github.com/zhishehg17/blog/issues/64