关联漏洞
Description
Public Disclosure
介绍
# 🛡️ CVE-2025-26199 — Insecure Password Transmission via Cleartext in CloudClassroom-PHP-Project v1.0
## 📄 Description
CloudClassroom-PHP-Project v1.0 is vulnerable to insecure transmission of user credentials. During the authentication process, passwords are submitted over unencrypted HTTP rather than HTTPS. This exposes sensitive information (i.e., usernames and passwords) to interception by network-based attackers using packet sniffing or Man-in-the-Middle (MitM) attacks.
If an attacker captures valid admin credentials, they may log in and potentially exploit additional application functionality (e.g., file upload or remote shell injection) to achieve remote code execution, depending on the deployment context and system configuration.
## 📦 Affected Product
- **Name**: CloudClassroom-PHP-Project
- **Version**: 1.0
- **Repository**: [https://github.com/mathurvishal/CloudClassroom-PHP-Project](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
## 💥 Impact
- **Credential Interception**: Passwords transmitted in cleartext can be stolen by attackers on the same network.
- **Account Takeover**: Captured credentials can be reused to gain admin access.
- **Remote Code Execution** (in chained scenarios): If the admin panel includes file uploads or other critical operations, attackers can achieve code execution.
## 🌐 Vulnerable Endpoint
```http
POST http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php
```
## 🧪 Steps to Reproduce
1. **Clone the Repository**
```bash
git clone https://github.com/mathurvishal/CloudClassroom-PHP-Project.git
```
2. **Host the Application**
- Use XAMPP, LAMP, or any local server stack.
- Access via: `http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php`
3. **Perform Login over HTTP**
- Intercept the request using a proxy tool (e.g., Burp Suite or Wireshark).
- Observe the password sent in plaintext over an unencrypted channel.
4. **Attack Vector**
- An attacker in a shared network environment captures the HTTP request and retrieves credentials from the payload.
## 🛡️ Recommendations
- Enforce HTTPS for all authentication and sensitive endpoints.
- Configure web server to redirect all HTTP traffic to HTTPS.
- Educate users to never enter credentials on HTTP pages.
- Use HSTS (HTTP Strict Transport Security) to prevent protocol downgrades.
## 🧩 CWE Classification
- **CWE-319**: Cleartext Transmission of Sensitive Information
[https://cwe.mitre.org/data/definitions/319.html](https://cwe.mitre.org/data/definitions/319.html)
- *(Optional if RCE is possible)*
**CWE-306**: Missing Authentication for Critical Function
[https://cwe.mitre.org/data/definitions/306.html](https://cwe.mitre.org/data/definitions/306.html)
## 📊 CVSS v3.1 (Base Score)
- **Score**: 8.1 (High)
- **Vector**: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N`
## 📅 Timeline
| Event | Date |
|-----------------------------|---------------|
| Vulnerability Discovered | 15 April 2025 |
| Public Disclosure | 18 June 2025 |
| Patch Available | No |
## 🧑💻 Credit
This vulnerability was discovered and responsibly disclosed by:
**Tansique Dasari**
📧 tansique.d@gmail.com
🔗 [https://github.com/tansique-17](https://github.com/tansique-17)
## 🔗 References
- [OWASP – Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)
- [CWE-319](https://cwe.mitre.org/data/definitions/319.html)
- [CloudClassroom GitHub Repository](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
文件快照
[4.0K] /data/pocs/ed5500aa945054ece28026e94c95a97d74ad0da2
└── [3.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →