There is an access control vulnerability in Vblog

### Version: <= 0.0.1-SNAPSHOT
### Branch: master branch
### Description: 
There is a privilege escalation vulnerability in Vblog, allowing an attacker to exploit it and perform arbitrary user registration with normal user permissions.

### Sourcecode Analysis
<img width="1574" alt="image" src="https://github.com/user-attachments/assets/faf84fe5-a0d4-4053-8a8a-d83c30c68753" />

In the `org.sang.config.WebSecurityConfig#configure` method, the `/reg` endpoint is configured to be accessible only by super administrators.
However, the Spring Security authentication framework used by the application can be bypassed by appending a trailing `/` to the endpoint, allowing regular users to access the `/reg` interface.

### Reproduce the vulnerablitity
Directly accessing the `/reg` endpoint returns a message indicating that it is accessible only to super administrators.
<img width="978" alt="image" src="https://github.com/user-attachments/assets/71b29237-572d-4452-8ac5-6d52b4bd758c" />
However, accessing `/reg/` results in a privilege escalation. This allows regular users to arbitrarily register new users.
<img width="880" alt="image" src="https://github.com/user-attachments/assets/fdf9d289-84ae-473a-a065-5bba06b759cc" />
<img width="1709" alt="image" src="https://github.com/user-attachments/assets/7c61a2f4-e117-455a-8a1d-d4ef11a4910c" />



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

There is an access control vulnerability in Vblog #95

Version: <= 0.0.1-SNAPSHOT

Branch: master branch

Description:

Sourcecode Analysis

Reproduce the vulnerablitity

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

There is an access control vulnerability in Vblog #95

Description

Version: <= 0.0.1-SNAPSHOT

Branch: master branch

Description:

Sourcecode Analysis

Reproduce the vulnerablitity

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions