Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
EXCELLENT INFOTEK BiYan Broken Authentication

EXCELLENT INFOTEK BiYan Broken Authentication

Current Description

EXCELLENT INFOTEK BiYan v2.9~v3.0 is vulnerable to a broken authentication vulnerability, which allows attackers to gain unauthorized data like user's account and password without authentication. This vulnerability affects many systems of government and company.

Details

The injection point is "query_person_by_order.aspx".

It allows remote attackers to gain unauthorized data like user's account and password via <DEPT_ID> paramemer without authentication.

Description

Remote attackers can gain unauthorized data like user's account and password. When accessing a victim's account, remote attackers can modifiy the password. It compromised the confidentiality, integrity and availability of data and system.

Affected files

http://[Target Domain]/kw/auth/security/tree/asp/query_person_by_order.aspx

Contributor

  • Tony Kuo (CHT Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment