| 제목 | Industrial Application Software - IAS Canias ERP 8.03-- Improper Authentication (CWE-287), (CWE-200) |
|---|
| 설명 | A vulnerability was found in Industrial Application Software caniasERP 8.03 and classified as high. The affected function is doAction of the component Login RMI Interface (default TCP port 27499). The manipulation with an empty username and empty password leads to improper authentication causing pre-authentication information disclosure. It is possible to initiate the attack remotely without authentication.
Despite returning a USERWRONGPASSWORD status code — correctly denying login — the server pre-loads a complete user profile into the response object before authentication validation completes. The already-populated response is returned to the unauthenticated caller containing the full profile of an arbitrary user record selected from the database. The returned user is non-deterministic across requests, meaning repeated calls may leak profiles of different system users.
The disclosed data includes the user's full name, surname, username, a valid session ID freshly assigned per request, a security key, the caller's network address as seen by the server, the complete menu and module permission tree, database name, database server address, server timezone, and server filesystem paths.
Exploitation requires the clientVersion field in the request to exactly match the server's expected version string. This string is obtainable without authentication via the companion GETSERVERINFO vulnerability, making the full attack chain require no prior knowledge or credentials.
Discovered by Bilal Güneş (@b1lal) of HawkTrace. |
|---|
| 원천 | ⚠️ https://gist.github.com/0xb1lal/758bbc5e4d82efea248e675da934ac69 |
|---|
| 사용자 | b1lal (UID 97312) |
|---|
| 제출 | 2026. 04. 20. PM 06:30 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 05. 09. PM 06:33 (19 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 362460 [Industrial Application Software IAS Canias ERP 8.03 Login RMI Interface clientVersion 약한 인증] |
|---|
| 포인트들 | 20 |
|---|