Acrel Electrical Prepaid Cloud Platform Information Disclosure Vulnerability
Vulnerability
A vulnerability allowing unauthorized information disclosure has been identified in Acrel Electrical Prepaid Cloud Platform version 1.0. This issue arises from unprotected backup files, specifically 'bin.rar', which is accessible without authentication. The exposed files contain sensitive configuration data, including intranet server IP addresses and database credentials, such as usernames and passwords. This information could be exploited to access backend business databases, manipulate key user data like payment records and account information, and potentially facilitate further attacks within the internal network.
Impact
Exploitation of this vulnerability leads to unauthorized access to sensitive user data, including payment information and account details. Additionally, it allows direct access to the backend database, where critical business data can be read, modified, or deleted. The exposure of internal IP addresses and credentials could also be used as a foothold for further attacks on the internal network. Such actions could disrupt business operations and cause financial losses.
Reproduction
To reproduce this vulnerability, download the exposed 'bin.rar' file from the web root directory of the Acrel Electrical Prepaid Cloud Platform. After unzipping the file, access the 'JuCheap.Data.dll.config' file, which contains unencrypted sensitive information such as the intranet server IP address and database credentials. This can be done using a standard HTTP client to request the backup file, followed by using a file extraction tool to decompress the downloaded archive.
Remediation
Remove all exposed backup files from the web root directory and rotate any compromised database credentials. Implement access control measures to prevent public access to backup and configuration files, and conduct regular security audits to identify and eliminate exposed sensitive data. Establish secure deployment practices to avoid leaving backup files in production environments.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.