Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Boot Actuator敏感信息泄露 #977

Open
lhhgh opened this issue Mar 6, 2024 · 4 comments
Open

Spring Boot Actuator敏感信息泄露 #977

lhhgh opened this issue Mar 6, 2024 · 4 comments

Comments

@lhhgh
Copy link

lhhgh commented Mar 6, 2024

image
pig版本:4.4.0
通过地址:http://124.70.102.185:8080/act/%61%63%74%75%61%74%6f%72 可以直接获取配置信息
请问:如何解决此漏洞
@lhhgh
Copy link
Author

lhhgh commented Mar 6, 2024

Sentinel和Monitor两个服务都没有启动

@lltx
Copy link
Collaborator

lltx commented Mar 6, 2024

image

@lhhgh
Copy link
Author

lhhgh commented Mar 26, 2024

image

这个配置一直加着的,还是有这个漏洞。

@hello-noob
Copy link

url编码绕过,解决方案:
spring boot关闭actuator路径
正常情况下,如果为了安全,可以使用如下配置关闭监控端点:
management:
endpoints:
enabled-by-default: false之后访问如health,info等端点,就会报404了,但是如果单纯的访问/actuator路径,还是会有一些信息返回的,这样至少说明了/actuator路径是可以访问的,此时如果有严格的安全渗透测试,很可能安全检测就不通过了。
可以使用如下配置直接禁用监控HTTP端点:
management:
server:
port: -1因为http端口的范围是:1~65535,因此-1是访问不了的。
此时再访问/actuator路径,结果也是404了。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lltx @lhhgh @hello-noob