| Title | SGS Intergard 8.7.0 Data transmission not fully encrypted |
|---|
| Description | SGS Intergard 8.7.0 does not correctly use cryptography in all functions of an application for data transmission, transmitting SQL queries in which it is possible to have access to "hashes" that should not be exposed, since it is possible to use them to obtain access to undue permissions by understanding the authorization mechanism, or even using them for authentication.
Any form of password sent from a customer, whether clear text, hashed, or encrypted, must be treated as the password itself. Of course, the password is encrypted. But knowing and sending that value to the server will authenticate that user in the app. There is no additional defense provided by just obscuring a parameter value and not securely encrypting an entire transmission. |
|---|
| Source | ⚠️ https://www.youtube.com/watch?v=XlRVwWXpv4w |
|---|
| User | hiagomoura (UID 50347) |
|---|
| Submission | 07/11/2023 19:34 (3 years ago) |
|---|
| Moderation | 07/18/2023 21:30 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 234448 [Intergard SGS 8.7.0 SQL Query cleartext transmission] |
|---|
| Points | 17 |
|---|