Perfex CRM Authentication Bypass Vulnerability in Admin Login

A vulnerability allowing authentication bypass has been identified in Perfex CRM versions prior to 3.3.1. This issue arises from inadequate server-side validation of login credentials. By sending empty username and password parameters in the login request, attackers can gain unauthorized access to user accounts, including those with administrative privileges.

Impact

Exploitation of this vulnerability allows attackers to bypass authentication and access user accounts, including admin accounts, with full privileges on the administrative dashboard.

Reproduction

To reproduce this vulnerability, navigate to the Perfex CRM admin login page. Intercept the login request using a proxy tool like Burp Suite. Remove or empty the username and password parameters in the request payload and forward the modified request. After refreshing the page, the system will display a '419 Page expired' message before automatically redirecting to the dashboard, granting access without valid credentials.

Remediation

Users are advised to implement strict server-side validation for authentication parameters, rejecting requests with empty or missing usernames or passwords. Ensure that session creation and authentication processes only occur after successful credential validation. Adding automated tests to verify that empty or missing credentials do not result in successful logins is also recommended.