[Principle Scanning] Alibaba Druid Unauthorized Access

Language 2023-09-16 21:50:56 views: null

Problem Description

Alibaba Druid does not have access controls set up by default, allowing attackers to log in to obtain sensitive information

Cause Analysis:

As a database connection pool, druid has a vulnerability in the default configuration monitoring page. It can be directly accessed through GET /druid/index.html, and there is a risk of database data leakage.

solution:

Configure the account password or disable the page in the yml configuration file

    datasource:
        druid:
          # 配置DruidStatViewServlet
          stat-view-servlet:
            #enabled: false 这里设为false直接禁用访问页面,默认为true,有登录页面
            url-pattern: "/druid/*"
            # IP白名单(没有配置或者为空,则允许所有访问)
            allow: 127.0.0.1
            # IP黑名单 (存在共同时,deny优先于allow)
            # deny: 111.111.3.111
            #  禁用HTML页面上的“Reset All”功能
            reset-enable: false
            #druid登录页面账号密码
            # 登录名
            login-username: admin
            # 登录密码
            login-password: 6MV3ymN1vz9mhKJxj3gTz1123

Guess you like

Origin blog.csdn.net/hurtseverywhere/article/details/123705952
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com