Description
When the admin deletes the user or changes the user's password, the user's current valid session/token has not expired, leading to the old session/token still being valid.
This would lead to CWE-613 insufficient session expire weakness.
Attack Example
- admin login, user1 login;
- admin delete user1 or changing user1's password to default;
- user1 can still operate with the old session/token which should be expired.
Deleting user by admin
|
@AdminRequired |
|
@DeleteMapping("/user/{id}") |
|
@PermissionMeta(value = "删除用户", mount = false) |
|
public DeletedVO deleteUser(@PathVariable @Positive(message = "{id.positive}") Integer id) { |
|
adminService.deleteUser(id); |
|
return new DeletedVO(5); |
|
} |
Changing password
|
@AdminRequired |
|
@PutMapping("/user/{id}/password") |
|
@PermissionMeta(value = "修改用户密码", mount = false) |
|
public UpdatedVO changeUserPassword(@PathVariable @Positive(message = "{id.positive}") Integer id, @RequestBody @Validated ResetPasswordDTO validator) { |
|
adminService.changeUserPassword(id, validator); |
|
return new UpdatedVO(4); |
|
} |
|
@PutMapping("/change_password") |
|
@LoginRequired |
|
public UpdatedVO updatePassword(@RequestBody @Validated ChangePasswordDTO validator) { |
|
userService.changeUserPassword(validator); |
|
return new UpdatedVO(4); |
|
} |
|
public boolean changePassword(Integer userId, String password) { |
|
String encrypted = EncryptUtil.encrypt(password); |
|
UserIdentityDO userIdentity = UserIdentityDO.builder().credential(encrypted).build(); |
|
QueryWrapper<UserIdentityDO> wrapper = new QueryWrapper<>(); |
|
wrapper.lambda().eq(UserIdentityDO::getUserId, userId); |
|
return this.baseMapper.update(userIdentity, wrapper) > 0; |
|
} |
Description
When the admin deletes the user or changes the user's password, the user's current valid session/token has not expired, leading to the old session/token still being valid.
This would lead to CWE-613 insufficient session expire weakness.
Attack Example
Deleting user by admin
lin-cms-spring-boot/src/main/java/io/github/talelin/latticy/controller/cms/AdminController.java
Lines 71 to 77 in 3fc25bd
Changing password
lin-cms-spring-boot/src/main/java/io/github/talelin/latticy/controller/cms/AdminController.java
Lines 63 to 69 in 3fc25bd
lin-cms-spring-boot/src/main/java/io/github/talelin/latticy/controller/cms/UserController.java
Lines 125 to 130 in 3fc25bd
lin-cms-spring-boot/src/main/java/io/github/talelin/latticy/service/impl/UserIdentityServiceImpl.java
Lines 55 to 61 in 3fc25bd