Netmake ScriptCase Production Environment Authentication Bypass Vulnerability Allowing Administrator Account Takeover

An authentication bypass vulnerability has been identified in the Production Environment extension of Netmake ScriptCase, affecting versions through 9.12.006 (23). The issue arises from a mishandled password reset mechanism for the administrator account. An unauthenticated attacker can exploit this vulnerability by sending both GET and POST requests to 'login.php', bypassing authentication and taking over the administrator account. This exploitation could lead to unauthorized access to database credentials and, subsequently, the databases themselves.

Impact

Exploitation of this vulnerability allows for unauthorized access to the administrator account of the ScriptCase Production Environment, enabling an attacker to gain access to sensitive database credentials and potentially execute malicious actions on the server.

Reproduction

To reproduce this vulnerability, first send a GET request to 'login.php' to initialize the session. Then, send a POST request to the same 'login.php' with the 'nm_action' parameter set to 'change_pass', including a new password, a confirmation of the new password, a language preference, a captcha response, and an email address. The captcha can be solved manually or automated using Optical Character Recognition (OCR) techniques. Once the password has been reset, authenticate using the new password to gain access to the administrator account.

Remediation

Restrict access to the ScriptCase Production Environment extension, particularly the 'login.php' and 'nm_ini_manager2.php' files, to prevent unauthorized password resets. Additionally, the password reset feature should be modified to require authentication and to use session-based email extraction instead of user-provided email addresses.