cve request ruoyi #1arbitrarily assign any role to any other user.

product:RuoYi

url:https://github.com/yangzongzhuan/RuoYi

stars:7.5k

English Report

 

Product: RuoYi

URL: POST /system/role/authUser/selectAll

Title: Broken Function Level Authorization in Batch Role Assignment

Proof of Concept (PoC):

1. Log in to the system with any user account, regardless of their permissions.

2. Capture the request for any authorized action to obtain the Cookie header.

3. Construct a POST request to /system/role/authUser/selectAll with the following parameters:

   • roleId: The ID of the role to be assigned (e.g., administrator role ID).

   • userIds: The ID(s) of the user(s) to whom the role will be assigned.

4. Send the request with the captured cookie. The user(s) specified will be granted the role.

HTTP

 

POST /system/role/authUser/selectAll HTTP/1.1
Host: [target]
Cookie: [user_cookie]
Content-Type: application/x-www-form-urlencoded

roleId=1&userIds=2,3

Effect:

This vulnerability allows any authenticated user to arbitrarily assign any role to any other user. A low-privileged user could exploit this to grant themselves or others administrative privileges, leading to a complete compromise of the system's integrity and confidentiality.

Finder: aibot88 @secsys from Fudan university

---

 

中文报告

 

产品名称: 若依 (RuoYi)

漏洞URL: POST /system/role/authUser/selectAll

漏洞标题: 批量用户授权功能存在越权漏洞

漏洞复现 (PoC):

1. 使用任意权限的用户登录系统。

2. 捕获任意一个授权请求，获取有效的 Cookie。

3. 构造一个 POST 请求发送至 /system/role/authUser/selectAll，请求参数如下：

   • roleId: 想要分配的角色的ID（例如：管理员角色ID）。

   • userIds: 希望被分配角色的用户的ID。

4. 携带获取到的 Cookie 发送请求。目标用户将被成功授予指定角色。

HTTP

 

POST /system/role/authUser/selectAll HTTP/1.1
Host: [目标地址]
Cookie: [用户Cookie]
Content-Type: application/x-www-form-urlencoded

roleId=1&userIds=2,3

漏洞影响:

该漏洞允许任何已认证的用户任意地为系统中的其他用户分配任意角色。低权限攻击者可以利用此漏洞为自己或他人授予管理员权限，从而完全控制后台系统，导致系统数据泄露、篡改等严重后果。

发现者: aibot88 @secsys from Fudan university