yeqifu / warehouse Goto Github PK

您演示地址的商品销售模块接口异常

修改部门时,如果修改其父部门为其下原来的子部门,更新完成之后两个部门都不见了.~~

商品管理“筛选列、打印、导出”是怎么实现的？

已source sql脚本，sys_user表中无admin用户，是否能以admin登录？若不能，如何登录？谢谢！

项目中没有sql文件，麻烦提供下，谢谢 ！我的邮箱[email protected]

不知道是BUG还是没写这个功能，但是添加商品有个预警功能。还有demo密码被人改了。。。希望修复并锁死

找不到用户储存的数据库的，一直显示密码错误

貌似现在那个在线网址，现在登不上去，一直提示用户名和密码错误

能发送一个　ｓｑｌ文件吗　，你文件里面的ｓｑｌ和ｍａｐｐｅｒ不能匹配，导致了登录出错，希望修正下，我的邮箱　１９３３３１５１０７＠ｑｑ.com 谢谢

Vertical Privilege Escalation Vulnerability

1. Steps to reproduce

When logged in as a ordinary user, only the following menu bar is available.

When logged in as a system user, the following menu bar is available.

In other words, the reset password function is the privilege of the system user, ordinary users can not reset other people's passwords.

But when a ordinary user requests the route /user/resetPwd/{id}, it can reset the passwords of other users.

The PoC HTTP request message is as follows.

POST /user/resetPwd/1 HTTP/1.1
Host: 10.108.4.179:8888
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://10.108.4.179:8888
DNT: 1
Connection: close
Referer: http://10.108.4.179:8888/sys/toUserManager
Cookie: JSESSIONID=6CE3D4F751868479C2F7F0A9FE8C973B
Content-Length: 0

You can see that the user with id 1 is the system administrator, but I reset the administrator's password using the ordinary user with id 4.

2. Expected behavior

The com.yeqifu.sys.controller.UserController#resetPwd method was originally intended to be used to allow the system administrator to reset a user's password by passing in the user's id to reset the specified user's password.

3. Actual behavior

However, this method does not check whether the currently logged in user has access to the endpoint, as long as the user is logged in can reset other people's passwords through this method.

This leads to a vulnerability where an ordinary user can reset other people's passwords just like an administrator.

4. Affected Version

This arbitrary file read vulnerability affect latest version: warehouse <= Apr 15, 2023

5. Fixes Recommendations

To fix this vulnerability, I have the following suggestions:

1. verify that the current user has access rights to the endpoint before manipulating the data
2. access to endpoints should be controlled by the backend, not through a menu bar on the frontend

Website API has unauthorized access vulnerability.

for example:

You can use "../xxx" or "../../xxx" to download any file.

for example:
http://website/file/showImageByPath?path=../1.txt

老哥你更新系统后新的管理员密码可以告知一下吗

您好，请问该项目的sql文件是否能发一下，麻烦加您个微信

是直接导入的源码里附带的sql文件

如果大佬有空还请告诉下我

Java旅途，回复仓库管理系统就可以看到

Arbitrary File Read

1. Steps to reproduce

After logging in to the system with an account password and accessing the /file/showImageByPath , an arbitrary file read vulnerability exists in the path parameter.

The PoC HTTP request message is as follows.

GET /file/showImageByPath?path=../../tmp/poc/poc.txt HTTP/1.1
Host: 10.108.4.179:8888
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://10.108.4.179:8888/sys/index
Cookie: JSESSIONID=08E5E5E33DC9F0EB1066298127666AC9
Upgrade-Insecure-Requests: 1

payload: path=../../any/file/want/to/read

As shown in the following figure, you can use the payload to read any file in the system.

2. Expected behavior

com.yeqifu.sys.controller.FileController#showImageByPath method is meant to read the contents of the file pointed to by the path parameter and returns it to the client.

The path variable is then passed directly to the com.yeqifu.sys.common.AppFileUtils#createResponseEntity method, which reads the contents of the file in the UPLOAD_PATH directory through the File object.

3. Actual behavior

However, the path variable is spliced after the UPLOAD_PATH directory without any security filters in the passing process, resulting in a controllable file path that can be read by arbitrary files.

4. Affected Version

This arbitrary file read vulnerability affect latest version: warehouse <= Apr 15, 2023

5. Fixes Recommendations

To fix this vulnerability, I have the following suggestions:

1. add a security filter to the path passing process by removing ./, ../, etc.
2. whenever possible, the value of the path variable should be controlled by the program, not the user.

warehouse项目，我有些问题想咨询一下你，我的QQ：820603418，名字是句号，已向你发送请求添加好友。

大佬有事请教，能不能加个联系方式（877819310）

大佬，请求指点啊 有偿

clone您的分支测试时,登录超级管理员在客户管理页面无法删除客户

学习项目过程中，发现不

会弄系统管理员，没有办法处理销售部门下的内容

You can insert xss payload when submitting product information.

看你的演示首页公告可以加载出来，到本地就加载不出来，浏览器报这个错
Uncaught TypeError: Cannot read property 'title' of undefined
at Object.success (toDeskManager:110)