Submit #808238: Industrial Application Software - IAS Canias ERP 8.03-- Information Disclosureinfo

TitelIndustrial Application Software - IAS Canias ERP 8.03-- Information Disclosure
BeschreibungA vulnerability classified as high was found in Industrial Application Software caniasERP 8.03. This affects the doAction function of the Java RMI Interface (default TCP port 27499). The manipulation of the argument sessionId with an empty string value leads to unauthenticated information disclosure. It is possible to initiate the attack remotely without any form of authentication. No user interaction is required for exploitation. Successful exploitation allows an unauthenticated remote attacker to retrieve a complete list of all active user sessions by sending a crafted iasGetUserListEvent request. The server response discloses session IDs (e.g. CRONJOB_76C9505836), usernames, client types (JAVA, WEB, CRONJOB), login timestamps, and client IP addresses — without any authentication check. The disclosed session IDs can be directly used to perform session hijacking, enabling a complete pre-authentication Remote Code Execution (RCE) attack chain. The vulnerability was identified through reverse engineering of the caniasERP client JAR files. These JAR files are publicly distributed without authentication via the application's JNLP launch endpoint (caniasout.jnlp), which is accessible over HTTP without any credentials. Decompilation of the JAR files revealed the RMI binding name format (XXXXXXXXS2OUT), the relevant event and response class structure, and the absence of any server-side authentication check on the GETUSERLIST handler. No unauthorized access to any production system was required to discover or demonstrate this vulnerability.
Quelle⚠️ https://gist.github.com/0xb1lal/3ef872a445310c5866d07d6a5b1803fa
Benutzer
 b1lal (UID 97312)
Einreichung20.04.2026 16:32 (vor 2 Monaten)
Moderieren09.05.2026 09:19 (19 days later)
StatusAkzeptiert
VulDB Eintrag362431 [Industrial Application Software IAS Canias ERP 8.03 RMI Interface doAction sessionId schwache Authentisierung]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!