| Title | Axios Italia Axios RE 1.7.0/7.0.0 REDefault.aspx DBIDX Connection String Parameter Pollution |
|---|
| Description | Connection String Parameter Pollution vulnerability found by changing DBIDX parameter in REDefault.aspx query. It is not filtered or sanitized, allowing attackers to change database connection string parameters. Accessing to ReStart.aspx (from one of school partners) and clicking on RE logo, we are redirected to REDefault.aspx, the vulnerable target, then to RELogin.aspx, which uses configuration parameters from the previous URL. Clicking on "Password dimenticata" (Password lost?) or "Accedi" (Login) we can see the details of exception thrown by ASP.NET. |
|---|
| Source | ⚠️ https://family.sissiweb.it/Secret/REStart.aspx?Customer_ID=80008420434 |
|---|
| User | ErPaciocco (UID 4004) |
|---|
| Submission | 08/05/2019 22:25 (7 years ago) |
|---|
| Moderation | 08/06/2019 07:48 (9 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 139528 [Axios Italia Axios RE 1.7.0/7.0.0 Connection REDefault.aspx DBIDX privileges management] |
|---|
| Points | 20 |
|---|