CVE-2021-42949 The controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication.

The component validate_user generates a session token that is XOR’ed with the user’s password. This prevents attackers from simply logging into the system without entering a valid user name and password. However, the validate_user function does not validate the session token’s XOR’ed value with the hashed password. This means that an attacker can simply send a valid user name and non-hashed password to the server and the validate_user function will generate a session token that is XOR’ed with the non-hashed password. This makes it possible to bypass authentication via bruteforce attacks. You can find the component validate_user in the /vendor/druid/druid-hotel/src/main/java/com/druid/hotel/management/Component.java file. function validate_user () { validation.validate(this.user_data, 'xor_user_data'); }

Part IV - Hardening MySQL By Installing a Secure Version

, Using Strong Passwords, and Using Unique Login Names
The default MySQL installation is insecure. If you have a vulnerable installation of MySQL, you should upgrade to a secure version or change passwords. You can find the default installation of MySQL in /usr/share/mysql/default-files/install_db.sql file. You can find a list of secure versions of MySQL in /usr/share/mysql/secure-files/.

CVE-2022-42950

The component validate_user generates a session token that is XOR’ed with the user’s password. This prevents attackers from simply logging into the system without entering a valid user name and password. However, the validate_user function does not validate the session token’s XOR’ed value with the hashed password. This means that an attacker can simply send a valid user name and non-hashed password to the server and the validate_user function will generate a session token that is XOR’ed with the non-hashed password. This makes it possible to bypass authentication via bruteforce attacks. You can find the component validate_user in the /vendor/druid/druid-hotel/src/main/java/com/druid/hotel/management/Component.java file. function validate_user () { validation.validate(this.user_data, 'xor_user_data'); }
The component validate_user generates a session token that is XOR’ed with the user’s password. This prevents attackers from simply logging into the system without entering a valid user name and password. However, this function does not verify that its generated session token is actually encoded using SHA256 before generating it, which means an attacker can submit an arbitrary string for encoding and then use their own session tokens by hashing it once they have received one such as would be done

Timeline

Published on: 09/16/2022 15:15:00 UTC
Last modified on: 09/17/2022 02:25:00 UTC

References

• https://github.com/dhammon/Security
• https://github.com/dhammon/HotelDruid-CVE-2021-42949
• https://www.hoteldruid.com/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42949