Problem Description
Alibaba Druid does not have access controls set up by default, allowing attackers to log in to obtain sensitive information
Cause Analysis:
As a database connection pool, druid has a vulnerability in the default configuration monitoring page. It can be directly accessed through GET /druid/index.html, and there is a risk of database data leakage.
solution:
Configure the account password or disable the page in the yml configuration file
datasource:
druid:
# 配置DruidStatViewServlet
stat-view-servlet:
#enabled: false 这里设为false直接禁用访问页面,默认为true,有登录页面
url-pattern: "/druid/*"
# IP白名单(没有配置或者为空,则允许所有访问)
allow: 127.0.0.1
# IP黑名单 (存在共同时,deny优先于allow)
# deny: 111.111.3.111
# 禁用HTML页面上的“Reset All”功能
reset-enable: false
#druid登录页面账号密码
# 登录名
login-username: admin
# 登录密码
login-password: 6MV3ymN1vz9mhKJxj3gTz1123