| タイトル | Axios Italia Axios RE 1.7.0/7.0.0 REDefault.aspx DBIDX Connection String Parameter Pollution |
|---|
| 説明 | Connection String Parameter Pollution vulnerability found by changing DBIDX parameter in REDefault.aspx query. It is not filtered or sanitized, allowing attackers to change database connection string parameters. Accessing to ReStart.aspx (from one of school partners) and clicking on RE logo, we are redirected to REDefault.aspx, the vulnerable target, then to RELogin.aspx, which uses configuration parameters from the previous URL. Clicking on "Password dimenticata" (Password lost?) or "Accedi" (Login) we can see the details of exception thrown by ASP.NET. |
|---|
| ソース | ⚠️ https://family.sissiweb.it/Secret/REStart.aspx?Customer_ID=80008420434 |
|---|
| ユーザー | ErPaciocco (UID 4004) |
|---|
| 送信 | 2019年08月05日 22:25 (7 年 ago) |
|---|
| モデレーション | 2019年08月06日 07:48 (9 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 139528 [Axios Italia Axios RE 1.7.0/7.0.0 Connection REDefault.aspx DBIDX 特権昇格] |
|---|
| ポイント | 20 |
|---|