• Writeups

Unauthorized Access To Admin Panel

  • Reported to Private
  • Reported by Haqtify
  • High (8.2)
  • $500
  • Published 3 years ago
  • No Likes

URL :

https://admin.redacted.app/login

Summary :

Admin panels are publicly accessible and anyone can login to this host . Access to internal data makes changes without admin authentication.

Steps To Reproduce:

1.First create an account on main domain as user.

https://redacted.app

2.Now move to Admin Panel which is hosted on subdomain.

https://admin.redacted.app

3.Now use same user credentials to login into Admin area.

4.BOOM . Account Login and Access to Admin Panel Successfully.

POC:

 

Remedy :

1.This subdomain should be accessible privately.
2.Only valid admin emails can be accessed.
3.No user email allowed.

Leave a Reply

Start Typing