Last active
May 5, 2018 18:32
-
-
Save llandeilocymro/2438a0b5aba8b387c86d7e3181ecbe76 to your computer and use it in GitHub Desktop.
Directus 6.4.9 hardcoded creds (CVE-2018-10723)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> [Description - CVE-2018-10723] | |
> Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in | |
> api/schema.sql. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> Here is the extract of the hardcoded credential (from schema.sql): INSERT INTO `directus_users` (`id`, | |
> `status`, | |
> `first_name`, | |
> `last_name`, | |
> `email`, | |
> `password`, | |
> `salt`, | |
> `token`, | |
> `access_token`, | |
> `reset_token`, | |
> `reset_expiration`, | |
> `position`, | |
> `email_messages`, | |
> `last_login`, | |
> `last_access`, | |
> `last_page`, | |
> `ip`, | |
> `group`, | |
> `avatar`, | |
> `avatar_file_id`, | |
> `location`, | |
> `phone`, | |
> `address`, | |
> `city`, | |
> `state`, | |
> `country`, | |
> `zip`, | |
> `language`, | |
> `timezone`, | |
> `invite_token`, | |
> `invite_date`, | |
> `invite_sender`, | |
> `invite_accepted`) | |
> VALUES | |
> (1, | |
> 1, | |
> 'Admin', | |
> 'User', | |
> 'admin@admin.com', | |
> '$2y$12$wzU2hwDsGfofO5swMxVY6exTRcC.IkB4gKNu4RKdnW40p4LTudQ96', | |
> '36JjNIG3eGVoYDky', | |
> 'vpqBqeRX4CGw2OgDdZxv9H26Rw8mIo4Z', | |
> '', | |
> '', | |
> NULL, | |
> '', | |
> 1, | |
> NULL, | |
> NULL, | |
> '', | |
> '', | |
> 1, | |
> '//www.gravatar.com/avatar/64e1b8d34f425d19e1ee2ea7236d3028?s=200&d=identicon&r=g', | |
> NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'en','America/New_York',NULL,NULL,NULL,NULL); | |
> | |
> That hash has the password of admin (same as the username) | |
> | |
> ------------------------------------------ | |
> | |
> [VulnerabilityType Other] | |
> CWE-798: Use of Hard-coded Credentials | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> directus | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> directus git hub version as of 04/05/2018 - 6.4.9 | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> https://github.com/directus/directus/blob/master/api/schema.sql | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Escalation of Privileges] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [CVE Impact Other] | |
> CWE-798: Use of Hard-coded Credentials | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> remote | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Edward Williams | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://github.com/directus/directus/commits/master |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment