제출 #435034: ZKteco biotime 9.0.1 Exposure of Access Control List Files to an Unauthorized Control정보

제목ZKteco biotime 9.0.1 Exposure of Access Control List Files to an Unauthorized Control
설명Vendor of Product: Biotime Version: 9.0.1 Description: There is a vulnerability that allows unauthorized access to sensitive images without proper security permissions. This issue arises when a site administrator adds a user or an employee captures their picture. Consequently, an attacker can view all images by guessing the image URLs, effectively circumventing security measures. Vulnerability Details: The vulnerability can be exploited by performing a brute force attack on the image URLs. For example, by accessing the following URL pattern: bash Copy code http://time.xmzkteco.com:8097/auth_files/photo/* An attacker can brute-force the image names, trying variations such as name.jpg with numbers from 0 to 1000 or more, leading to access to images like: bash Copy code http://time.xmzkteco.com:8097/auth_files/photo/109.jpg This allows an attacker to retrieve all images stored on the server. Proof of Concept (PoC): Using the URL pattern mentioned above, an attacker can sequentially access image files without authentication. Dorks: Shodan query: http.title:"biotime" Reported by: CyberSecurity Center - MOI Iraq
원천⚠️ https://gist.githubusercontent.com/whiteman007/f7a85252fed91deff6eb3f20596710b0/raw/b7c8a7f53d3316cfd2da1cae9bcf583d923860b7/biotime%25209.0.1
사용자
 Cybersecurity Center - MOI Iraq (UID 76965)
제출2024. 10. 31. PM 05:58 (2 연령 ago)
모더레이션2024. 11. 09. AM 11:21 (9 days later)
상태수락
VulDB 항목283662 [ZKTeco ZKBio Time 9.0.1 Image File /auth_files/photo/ 권한 상승]
포인트들20

Might our Artificial Intelligence support you?

Check our Alexa App!