Hot or Not Clone has insufficient access control for producing and reading database backups, which allows remote attackers to obtain the administrator username and password via a direct request to control/backup/backup.php, which generates a backup/dump/backup.sql file that can be downloaded via a direct request to control/downloadfile.php.
Hot or Not Clone suffers from a critical access control vulnerability allowing remote attackers to retrieve the administrator's credentials. This flaw enables unauthorized access to the application's database, potentially leading to complete system compromise and data exfiltration.
Step 1: Target Identification: The attacker identifies a vulnerable Hot or Not Clone installation.
Step 2: Backup Trigger: The attacker directly requests control/backup/backup.php. This triggers the database backup process, creating a file named backup.sql containing the database contents, including the administrator's credentials (likely hashed).
Step 3: Backup Download: The attacker directly requests control/downloadfile.php?file=backup.sql. This downloads the backup.sql file.
Step 4: Credential Extraction: The attacker analyzes the backup.sql file, extracting the administrator's username and password (or the hash of the password).
Step 5: System Compromise: The attacker uses the extracted credentials to log into the application as an administrator, gaining full control of the system.
The vulnerability stems from inadequate access controls within the Hot or Not Clone application's backup functionality. Specifically, the control/backup/backup.php script generates a database backup (backup.sql) without proper authentication or authorization checks. This allows any unauthenticated user to trigger the backup process. Furthermore, the control/downloadfile.php script, used to download the backup file, also lacks sufficient access control, permitting unauthorized download of the sensitive backup.sql file. The root cause is a failure to implement proper authentication and authorization mechanisms before executing sensitive operations like database backups and file downloads. The lack of these checks allows attackers to bypass security measures and gain access to critical system information, including administrator credentials.