| عنوان | Airfield Online public availability of backups |
|---|
| الوصف | The web application "Airfield Online" creates user initiated backups as MySQL database dumps. These backups are stored in the instance url (https://www.airfield-online.de/<airfield-identifier>) plus an easy to guess file url (/backups/af_<airfield-identifier>_dump<timestamp_YYYYMMDDhhmm>.sql.gz). When performing a GET request to this path, no further access control checks are applied. The dump includes all user data (including bank accounts, passwords in plain text and other data from customers).
The vulnerability was reported to the developer who added a HTTP basic authentication to the path. |
|---|
| المصدر | ⚠️ https://web.archive.org/web/*/https://airfield-online.de/* |
|---|
| المستخدم | 3sdukgzyjkfe9pgamth6xnzgoonwnhq (UID 19579) |
|---|
| ارسال | 21/09/2021 04:42 PM (5 سنوات منذ) |
|---|
| الاعتدال | 21/09/2021 06:38 PM (2 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 183172 [Airfield Online MySQL Backup /backups/ توثيق ضعيف] |
|---|
| النقاط | 20 |
|---|