DBSyncer Access Control Vulnerability in Configuration Download Endpoint Allows Sensitive Data Exposure
Vulnerability
A vulnerability in DBSyncer version 2.0.6 has been identified, stemming from incorrect access control in the component '/config/download'. This flaw enables unauthorized access to a JSON file containing sensitive account information, including encrypted passwords. The vulnerability arises from an access control misconfiguration, allowing direct access to sensitive configuration data without authentication.
Impact
Exploitation of this vulnerability leads to the unauthorized disclosure of sensitive account information, including passwords encrypted with a weak SHA-1 algorithm, which is vulnerable to brute-force attacks.
Reproduction
To reproduce this vulnerability, access the '/config/download' endpoint directly. The server will respond with a JSON file that includes user account details and a SHA-1-based, base64-encoded password. This can be done using a web browser or a tool like curl, without any authentication.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.