Skip to content

Potential improper authorization in UCenter article update functionality #194

Description

@ling101w

Summary

There appears to be an improper authorization issue in the UCenter article update functionality of JPress 1.0.3.

The endpoint POST /ucenter/article/doWriteSave may allow an authenticated user to submit an existing article id and trigger an update flow without sufficiently verifying whether the target article belongs to the current user.

As a result, an authenticated low-privileged user may be able to modify or overwrite articles belonging to other users if a valid article ID is known or can be enumerated.

Affected Version

  • JPress 1.0.3

Vulnerability Type

  • Improper Authorization
  • Broken Access Control
  • CWE-285: Improper Authorization
  • CWE-639: Authorization Bypass Through User-Controlled Key

Affected Endpoint

POST /ucenter/article/doWriteSave

Source-Level Flow

POST /ucenter/article/doWriteSave
→ ArticleUCenterController.doWriteSave()
→ request binds Article with user-controlled id
→ JbootServiceBase.saveOrUpdate(model)
→ existing id may trigger update
→ ownership check appears to be missing or insufficient

Impact

An authenticated low-privileged user may be able to modify articles belonging to other users.

Depending on the site configuration and article permissions, this may lead to:

  • Unauthorized modification of other users' articles
  • Unauthorized overwrite of article content
  • Integrity impact on user-generated content

Expected Behavior

Before updating an article, the server should verify that the target article belongs to the currently authenticated user.

If the current user is not the owner of the article, the request should be rejected with 403 Forbidden.

Actual Behavior

The update flow appears to rely on a user-controlled article id. When the submitted id corresponds to an existing article, the save-or-update logic may enter the update path without sufficiently enforcing an ownership check.

Suggested Fix

Before updating an existing article, the application should load the original article record from the database and verify ownership.

For example:

Article oldArticle = articleService.findById(article.getId());

if (oldArticle == null) {
    return error;
}

if (!oldArticle.getUserId().equals(currentUser.getId())) {
    return forbidden;
}

The application should not directly trust the id or userId submitted by the client.

Recommended protections:

  • Check whether the current user is authenticated.
  • Check whether the target article exists.
  • Check whether the target article belongs to the current user.
  • Reject unauthorized update attempts with 403 Forbidden.
  • Avoid relying only on frontend controls.
  • Avoid binding sensitive fields such as id or userId directly from untrusted user input without validation.

Additional Notes

This issue was found during source code review and security testing.

I can provide additional technical details if needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions