Hello, I have found a security problems in your project.
you use spring security to identify users. However, when configuring the access path, because spring security's antMatcher is not used correctly, the attack can use the ambiguity of the server and spring in processing the path. Rely on the identity of ordinary users to call functions that should belong to the administrator.
The path of the vulnerable code: com/greate/community/config/SecurityConfig.java
attack method:login as a normal user without delete function. post /discuss/delete with discuss id and the serve will response "you have no privilege to request"". Then post /discuss/delete/ (append a slash) , this request will be successful and the discuss with the id will be deleted.
here is the proof:
post /discuss/delete
post /discuss/delete/
how to repair:
- add extra path /delete/ path to spring security
- deal with path together before spring security.