Summary
There appears to be an improper authorization issue in the UCenter article update functionality of JPress 1.0.3.
The endpoint POST /ucenter/article/doWriteSave may allow an authenticated user to submit an existing article id and trigger an update flow without sufficiently verifying whether the target article belongs to the current user.
As a result, an authenticated low-privileged user may be able to modify or overwrite articles belonging to other users if a valid article ID is known or can be enumerated.
Affected Version
Vulnerability Type
- Improper Authorization
- Broken Access Control
- CWE-285: Improper Authorization
- CWE-639: Authorization Bypass Through User-Controlled Key
Affected Endpoint
POST /ucenter/article/doWriteSave
Source-Level Flow
POST /ucenter/article/doWriteSave
→ ArticleUCenterController.doWriteSave()
→ request binds Article with user-controlled id
→ JbootServiceBase.saveOrUpdate(model)
→ existing id may trigger update
→ ownership check appears to be missing or insufficient
Impact
An authenticated low-privileged user may be able to modify articles belonging to other users.
Depending on the site configuration and article permissions, this may lead to:
- Unauthorized modification of other users' articles
- Unauthorized overwrite of article content
- Integrity impact on user-generated content
Expected Behavior
Before updating an article, the server should verify that the target article belongs to the currently authenticated user.
If the current user is not the owner of the article, the request should be rejected with 403 Forbidden.
Actual Behavior
The update flow appears to rely on a user-controlled article id. When the submitted id corresponds to an existing article, the save-or-update logic may enter the update path without sufficiently enforcing an ownership check.
Suggested Fix
Before updating an existing article, the application should load the original article record from the database and verify ownership.
For example:
Article oldArticle = articleService.findById(article.getId());
if (oldArticle == null) {
return error;
}
if (!oldArticle.getUserId().equals(currentUser.getId())) {
return forbidden;
}
The application should not directly trust the id or userId submitted by the client.
Recommended protections:
- Check whether the current user is authenticated.
- Check whether the target article exists.
- Check whether the target article belongs to the current user.
- Reject unauthorized update attempts with
403 Forbidden.
- Avoid relying only on frontend controls.
- Avoid binding sensitive fields such as
id or userId directly from untrusted user input without validation.
Additional Notes
This issue was found during source code review and security testing.
I can provide additional technical details if needed.
Summary
There appears to be an improper authorization issue in the UCenter article update functionality of JPress 1.0.3.
The endpoint
POST /ucenter/article/doWriteSavemay allow an authenticated user to submit an existing articleidand trigger an update flow without sufficiently verifying whether the target article belongs to the current user.As a result, an authenticated low-privileged user may be able to modify or overwrite articles belonging to other users if a valid article ID is known or can be enumerated.
Affected Version
Vulnerability Type
Affected Endpoint
Source-Level Flow
Impact
An authenticated low-privileged user may be able to modify articles belonging to other users.
Depending on the site configuration and article permissions, this may lead to:
Expected Behavior
Before updating an article, the server should verify that the target article belongs to the currently authenticated user.
If the current user is not the owner of the article, the request should be rejected with
403 Forbidden.Actual Behavior
The update flow appears to rely on a user-controlled article
id. When the submittedidcorresponds to an existing article, the save-or-update logic may enter the update path without sufficiently enforcing an ownership check.Suggested Fix
Before updating an existing article, the application should load the original article record from the database and verify ownership.
For example:
The application should not directly trust the
idoruserIdsubmitted by the client.Recommended protections:
403 Forbidden.idoruserIddirectly from untrusted user input without validation.Additional Notes
This issue was found during source code review and security testing.
I can provide additional technical details if needed.