SB2021010401 - Multiple vulnerabilities in MK-AUTH

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2021-3005)

The vulnerability allows a remote attacker to obtain sensitive information.

The vulnerability exists due to incorrect implementation of access restrictions in central/recibo.php. A remote attacker can obtain sensitive information (e.g., a CPF number) via a modified titulo (aka invoice number).

2) SQL injection (CVE-ID: CVE-2020-14068)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in central/executar_login.php. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

3) SQL injection (CVE-ID: CVE-2020-14069)

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in arp.php, dhcp.php, hotspot.php, ip.php, pgaviso.php, pgcorte.php, pppoe.php, queues.php, and wifi.php scripts. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

4) Credentials management (CVE-ID: CVE-2020-14070)

The vulnerability allows a remote attacker to guess administrative credentials.

The vulnerability exists due to guessable credentials to admin/executar_login.php. A remote attacker can guess administrative password and gain unauthorized access to the application.

5) Cross-site scripting (CVE-ID: CVE-2020-14071)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) OS Command Injection (CVE-ID: CVE-2020-14072)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the /auth admin scripts. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system with root privileges.

Remediation

Install update from vendor's website.

References

• http://mk-auth.com.br/
• https://gist.github.com/alacerda/3b925cb333eb839ae808d6f01642aeb3
• http://mk-auth.com.br/page/changelog-1
• https://gist.github.com/merhawi023/a1155913df3cf0c17971b0fb7dcd8f20