| Titel | DM Enterprise Website Building System DM Enterprise Website Building System <=2022.8 Authentication bypass |
|---|
| Beschreibung | The DM Enterprise Website Building System, version 2022.8 and earlier, contains an authentication bypass vulnerability in the file 'indexDM_load.php'. The flaw lies in the 'dmlogin' function, which accepts a cookie named 'is_admin'. If this cookie is set to 'y', the system allows the user to bypass authentication and operate as an admin. Therefore, by simply setting the cookie 'is_admin' to 'y', an unauthorized user can gain admin privileges, leading to potential data breaches and unauthorized system modifications. |
|---|
| Quelle | ⚠️ https://note.zhaoj.in/share/8gO8yxJ8aN51 |
|---|
| Benutzer | glzjin (UID 59815) |
|---|
| Einreichung | 15.02.2024 06:16 (vor 2 Jahren) |
|---|
| Moderieren | 23.02.2024 09:05 (8 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 254605 [Demososo DM Enterprise Website Building System bis 2022.8 Cookie indexDM_load.php dmlogin is_admin schwache Authentisierung] |
|---|
| Punkte | 20 |
|---|