How I found Bug in Pos Malaysia Improper Authorization CWE-285 | Ungku Nazmi

Reporting How I found Bug in Pos Malaysia Improper Authorization CWE-285

Published on | Classified in | heat

Be yourself use your brain

Anything u learned from the Blog just for research and educational purposes only Do not use the knowledge for illegal things.

[Risk Factors]

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action..

[Website Information]

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

Login DMIS

Login System DMIS , seems not update and let me try to login xD

[Vulnerability to reproduce]

NO EXPLOITATION CODE TO USE

1

2

3
 
Vulnerable : https://****.POS.COM.MY

u : admin p: admin

https://****.pos.com.my/****/**/User****.asp?namap=HQ/State%20Executive&nop=***&id=admin&username=admin

Unfortunately, I'm able to login as Admin into the system

[DISCLAIMER]

This issue has been reported to Cyber999 Team the bug had already been fixed..


Sorry about my english, is so bad😅
If you have any questions or suggestions, make sure to hit me in any of these mediums or the comments.


Thanks for reading.