header-logo
Suggest Exploit
vendor:
Entab ERP
by:
Deb Prasad Banerjee
5.3
CVSS
MEDIUM
Broken Access control via Rate Limits
284
CWE
Product Name: Entab ERP
Affected Version From: Entab ERP 1.0
Affected Version To: Entab ERP 1.0
Patch Exists: Yes
Related CWE: CVE-2022-30076
CPE: a:entab:entab_erp:1.0
Metasploit:
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=19948
Platforms Tested: Windows IIS
2022

ENTAB ERP 1.0 – Username PII leak

In the entab software in fapscampuscare.in, there is a login portal with a UserId field. An authenticated user would enter and get their name as well as other services. However, there should be a rate limit in place, which is not present. As a result, a hacker could bypass the system and obtain other usernames via broken access control. This enables a threat actor to obain the complete full name and user ID of the person.

Mitigation:

The vendor should implement rate limiting on the UserId field to prevent unauthorized access. Additionally, the vendor should also implement additional security measures such as two-factor authentication and captcha.
Source

Exploit-DB raw data:

Exploit Title: ENTAB ERP 1.0 - Username PII leak
Date: 17.05.2022
Exploit Author: Deb Prasad Banerjee
Vendor Homepage: https://www.entab.in
Version: Entab ERP 1.0
Tested on: Windows IIS
CVE: CVE-2022-30076

Vulnerability Name: Broken Access control via Rate Limits

Description:
In the entab software in fapscampuscare.in, there is a login portal with a
UserId field. An authenticated user would enter and get their name as well
as other services. However, there should be a rate limit in place, which is
not present. As a result, a hacker could bypass the system and obtain other
usernames via broken access control. This enables a threat actor to
obain the complete full name and user ID of the person.

POC:
1. Go to fapscampuscare.in or any entab hosted software and find the entab
software.
2. Use a proxy to intercept the request.
3. Since it's a student login, try a random UserId (e.g., s11111).
4. Intercept the request using Burp Suite and send it to the Intruder.
5. Select payloads from number 100000-20000, and turn off URL encoding on
the UserId parameter.
6. Start the attack and sort by length to obtain the username and full name
of other users.

Navigation

Suggest Exploit

Services By CQR