Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials

EDB-ID: 44276
Author: LiquidWorm
Published: 2018-03-12
Type: Webapps
Platform: Multiple
Vulnerable App: N/A


Vendor: Prisma Industriale S.r.l.
Product web page:
Affected version: 1.0 (Rev 21, EPROM 202FWSAM ??)

Summary: Web Administration of Machine.

Desc: The vulnerability exists due to the disclosure of hard-coded credentials allowing
an attacker to effectively bypass authentication of PrismaWEB with administrator
privileges. The credentials can be disclosed by simply navigating to the login_par.js
JavaScript page that holds the username and password for the management interface that
are being used via the Login() function in /scripts/functions_cookie.js script.

Tested on: HMS AnyBus-S WebServer

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2018-5453
Advisory URL:



$ curl
// JavaScript Document
// 11 Dicembre 2009 Release 1.0 Rev.10

var txtChkUser = "prismaweb"; // Nome utente Login
var txtChkPassword = "prisma"; // Password Login

Related Posts