module
Syncovery For Linux Web-GUI Session Token Brute-Forcer
| Disclosed |
|---|
| Sep 6, 2022 |
Disclosed
Sep 6, 2022
Description
This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI
by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).
By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.
The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time
of the login instead of a random token.
If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.
by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).
By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.
The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time
of the login instead of a random token.
If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.