https://www.spadej.com.tw/ Weak Password to Codebase Disclosure - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2024-00944
  •  發信 Vendor: https://www.spadej.com.tw/
  • Title: https://www.spadej.com.tw/ Weak Password to Codebase Disclosure
  • Introduction: Weak Password to Codebase Disclosure

處理狀態

目前狀態

公開
Last Update : 2024/10/14
  • 新提交
  • 已審核
  • 已通報
  • 未回報修補狀況
  • 未複測
  • 公開

處理歷程

  • 2024/08/14 22:35:33 : 新提交 (由 dx0xff 更新此狀態)
  • 2024/08/19 20:55:04 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2024/08/20 15:25:20 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2024/08/20 15:25:20 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2024/08/20 15:25:20 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2024/10/14 03:00:20 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2024-00944
  • 通報者:dx0xfc (dx0xff)
  • 風險:嚴重
  • 類型:弱密碼 (Weak Passwords)

參考資料

使用預設密碼或過於簡單之密碼,可經由該問題取得後台完整權限,且容易造成大量資訊外洩。

OWASP Top 10 - 2017 A2 - Broken_Authentication
https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication

CWE-521: Weak Password Requirements
https://cwe.mitre.org/data/definitions/521.html

HOW SECURE IS MY PASSWORD?
https://howsecureismypassword.net/
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

http://125.227.230.178/

敘述

0. Enumeration

Found the endpoint via OSINT.

1. Identification

The web redirects to http://125[.]227[.]230[.]178/Home/LogOn?ReturnUrl=%2F, which shows Bonobo Git Server (6.5.0.679). Perform further OSINT and discover the default username/password is admin:admin.

圖片

2. Verification

login with the default username/password. Projects are all visible to the admin account.

圖片

Discovered enterprise email and located the organization.

圖片

3. Evaluation

The severity is ranked as critical because:

  1. Codebase disclosure, which can see clients' code.
  2. the account. admin:admin has full permission on the server, which can create/update any given privilege (e.g., authorization).

4. Disclaimar

I am an independent cybersecurity researcher dedicated to identifying and reporting security vulnerabilities to improve the security of systems and services. My activities may include testing systems without explicit prior authorization, but my intent is purely ethical and aimed at enhancing security. I adhere to responsible disclosure practices, ensuring that any vulnerabilities discovered are reported directly to the affected organizations, allowing them to address issues promptly and effectively. I do not engage in activities intended to exploit or harm systems or data, and I do not make guarantees regarding the accuracy or completeness of my findings. By conducting these activities in good faith, I aim to assist organizations in strengthening their cybersecurity defenses. I am committed to collaborating with organizations to ensure that vulnerabilities are resolved without risk to their operations and to facilitate a constructive dialogue to address security concerns. This disclaimer clarifies the ethical nature of my security research activities and my dedication to improving cybersecurity. Organizations are encouraged to contact me to discuss any findings and explore potential collaborations to enhance their security posture. Please consult a legal professional to ensure this disclaimer aligns with applicable laws and regulations.

我是獨立的網路安全研究員,致力於發現和報告安全漏洞,以提高系統及服務的安全性。我的活動可能包括在未獲得明確事先授權的情況下測試系統,但我的意圖純粹是出於道德考量,目的是加強資訊安全性。我遵循負責任的披露原則,確保將發現的任何漏洞直接報告給相關組織,讓他們能夠及時有效地解決問題。我不參與任何意圖利用或破壞系統或數據的活動,也不對我的發現的準確性或完整性作出保證。通過善意進行這些活動,我希望幫助組織加強其網路安全防禦。我致力於與組織合作,確保在不危及其運營的情況下解決漏洞,並促進建設性對話以解決任何安全問題。此聲明旨在闡明我對此活動的道德認知及我對提高網路安全的承諾。歡迎各組織與我聯繫,討論任何發現並探索潛在的合作機會,以提升他們的資訊安全。

5. Background of the Activity

  • Non-intrusive Methods: I employ non-intrusive testing methods to minimize any potential impact on system performance and ensure that regular operations are not disrupted. All the information is found on the World Wide Web and the public Internet via OSINT.

  • No System Alteration: I do not make any changes or alterations to systems during testing, ensuring that the integrity and functionality of the systems remain intact.

  • Non-intrusive Methods: I employ non-intrusive testing methods to minimize any potential impact on system performance and ensure that regular operations are not disrupted.

  • Confidentiality: Any information collected during the assessment is treated with the highest level of confidentiality and shared only with authorized personnel. None of the data or information is unrevealed.

  • Timely Reporting: All findings are reported promptly to the relevant stakeholders, enabling swift action to address any security vulnerabilities. I will stop further testing to prevent unnecessary data gathering when a possible exploit is found with sufficient evidence.

  • 非侵入性:我採用非侵入性的測試方法以減少對系統性能的潛在影響,並確保正常運作不受干擾。所有資料均通過開源情報(OSINT)和全球資訊網中取得。

  • 系統完整性:在測試過程中,我不對系統進行任何更改或調整,確保系統的完整性和功能保持不變。

  • 非侵入性方法:我採用非侵入性的測試方法,以盡量減少對系統性能的潛在影響,並確保正常運作不受干擾。

  • 保密性:在評估過程中收集的任何資料均保密處理,僅與授權平台共享。所有資料均會完整揭露。

  • 時效性:所有發現都會及時報告於授權平台,以便迅速採取行動來解決任何安全漏洞。當發現有充分證據的潛在漏洞時,我將停止進一步的測試,避免非必要的資料收集。

Glad to perform a re-test and feel free to ping me on the platform. Cheers. - dx0xfc

修補建議

1. Replace the default username and password.
2. Review the existing service to prevent past invasions and persistence from adversaries.
3. Use MFA (multi-factor authentication).

擷圖

留言討論

聯絡組織

 發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。
;