Skip to content

Instantly share code, notes, and snippets.

@tonykuo76

tonykuo76/EXCELLENT INFOTEK BiYan Broken Authentication.md Secret

Last active March 25, 2021 02:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tonykuo76/17d497b3472a80a5e8914227e81e6fa3 to your computer and use it in GitHub Desktop.
Save tonykuo76/17d497b3472a80a5e8914227e81e6fa3 to your computer and use it in GitHub Desktop.
Download ZIP
EXCELLENT INFOTEK BiYan Broken Authentication
Raw
EXCELLENT INFOTEK BiYan Broken Authentication.md

EXCELLENT INFOTEK BiYan Broken Authentication

Current Description

EXCELLENT INFOTEK BiYan v2.9~v3.0 is vulnerable to a broken authentication vulnerability, which allows attackers to gain unauthorized data like user's account and password without authentication. This vulnerability affects many systems of government and company.

Details

The injection point is "query_person_by_order.aspx".

It allows remote attackers to gain unauthorized data like user's account and password via <DEPT_ID> paramemer without authentication.

Description

Remote attackers can gain unauthorized data like user's account and password. When accessing a victim's account, remote attackers can modifiy the password. It compromised the confidentiality, integrity and availability of data and system.

Affected files

http://[Target Domain]/kw/auth/security/tree/asp/query_person_by_order.aspx

Contributor

  • Tony Kuo (CHT Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment