CVE-2019-17503

An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly: it contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc.

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name	Vendor	Start Version	End Version
Dynamic_resource_scheduling	Kirona	5.5.3.5 (including)	5.5.3.5 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/127.html
https://cwe.mitre.org/data/definitions/143.html
https://cwe.mitre.org/data/definitions/144.html
https://cwe.mitre.org/data/definitions/668.html
https://cwe.mitre.org/data/definitions/87.html

References

http://packetstormsecurity.com/files/154838/Kirona-DRS-5.5.3.5-Information-Disclosure.html
https://github.com/Ramikan/Vulnerabilities/blob/master/Kirona-DRS%205.5.3.5%20Multiple%20Vulnerabilities

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-17503
CWE	https://cwe.mitre.org/data/definitions/425.html

Direct Request ('Forced Browsing')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References