Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by 0xmagdy - 27.03.2024
Last edited by cbay - 03.04.2024

FS#43 - Information Disclosure PHPpgAdmin

Vulnerability Detail

PHPpgAdmin setup page is accessible over the internet in which it's possible for the user setup the servers with required details.

Vulnerable Endpoints

https://phppgadmin.alwaysdata.com/phppgadmin/redirect.php?subject=root You can add a server via this endpoint
https://phppgadmin.alwaysdata.com/phppgadmin/redirect.php?subject=server&server=&

Impact Its possible for an attacker to configure the servers without information of the application adminstrator.

Closed by  cbay
03.04.2024 07:03
Reason for closing:  Invalid
Admin

Hello,

Can you provide us with a PoC showing us how you would do it?

Admin
cbay commented on 28.03.2024 08:22

That link returns "Access Denied", please provide a public link.

Admin
cbay commented on 29.03.2024 11:02

That's not a setup page, and you can only "add" servers to your own session. I'm pretty sure that's standard phpPgAdmin behaviour, and it doesn't cause any security issue as far as I know.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing