How I Found Config Database TNB Env Dev AWS [Fix] | Ungku Nazmi

How I Found Config Database TNB Env Dev AWS [Fix]

Published on | Classified in | heat

Be yourself use your brain

[Preface]

This afternoon I forgot to pay the electricity bill using MyTnb website, I was rushing to pay because I was afraid the bill would be cut-off if I paid late.

when I wanted to make a payment I searched on google and by accidently, I found some links that contain username and password in plain text.

[Getting Started]

I connected the website to my computer and right away jumped onto the research.

I started off with a good ol’ opened the website interfaces.

1

2

3


Vuln 1 : http://***dbr.MYTNB.COM.MY/

Vuln 2 : http://***ds.MYTNB.COM.MY/

CWE-200 Vulnerabilities

MYTNB-COM-MY

Unsurprisingly, looks like all we got to work with the web server. Off we go then.

after click the link and do some research of my finding it was a ENV AWS Configuration,which contains the user password database and MSSQL port was opened it allows anyone to access the database..

[Has vendor confirmed or acknowledged the vulnerability?]

true

Ref :

CWE-200

[Concluding]

Since people have been asking, the bug had already been fixed.CWE-200

[DISCLAIMER]

This Bug I've report to MyCert Team January 20 2023

Anything u learned from the Blog just for research and educational purposes only Do not use the knowledge for illegal things.


Sorry about my english, is so bad😅
If you have any questions or suggestions, make sure to hit me in any of these mediums or the comments.
Thanks for reading.