CVE-2020-26526 PoC — Damstra Smart Asset 安全漏洞

Source

https://github.com/lukaszstu/SmartAsset-UE-CVE-2020-26526

Associated Vulnerability

Title:Damstra Smart Asset 安全漏洞 (CVE-2020-26526)
Description:damstra smart asset（smart asset）是美国Smart Asset by Damstra的一个个人理财估算平台。该平台在用户提供一系列个人信息后可为用户提供最佳的理财策略。 Damstra Smart Asset 2020.7版本存在安全漏洞，该漏洞源于可以列举有效用户名登录页面。应用程序发送一个不同的服务器响应用户名无效时用户名是有效的(“无法找到一个APIDomain”与“错误的电子邮件或密码”)。

Description

It is possible to enumerate valid usernames on the login page.

Readme

# SmartAsset-UE-CVE-2020-26526
It is possible to enumerate valid usernames on the login page.

CVE-2020-26526

An issue was discovered in Damstra Smart Asset 2020.7.
It is possible to enumerate valid usernames on the login page. The
application sends a different server response when the username is
invalid than when the username is valid ("Unable to find an APIDomain" versus "Wrong email or password").

When the username is invalid, the server responds with:
"Unable to find an APIDomain for the email test@testtest.com, please contact your system administrator"

If the username is valid, the server responds with:
 "Login Failed! Wrong email or password." 
 
 ------------------------------------------

[Discoverer]
Lukasz Studniarz

File Snapshot


 [4.0K]  /data/pocs/078d4009194d9e938f034442e49de04b01cb3b54
└── [ 740]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!