A well-known beverage company's weak VPN password causes internal information leakage

A well-known beverage company's weak VPN password causes internal information leakage

No verification code. weak passwords can be cracked.

Shenzhen Dongpeng Beverage Industry Co., Ltd. ssl vpn login Port
 

https://app.szeastroc.com

Weak passwords can be cracked because of poor design and no verification code.

Burpsite packet capture, top500 name as user name, 123456 as password, run out of weak password.
 

Zhangyong

123456

Log on to the ssl vpn
 

After connecting, you can log on to FTP, mail, and other systems.
 

 

No verification code for the internal mailbox logon Port

Export the logged-on email address book as the user name and run out several accounts.
 

There are still a lot of sensitive things in the mailbox, including various reports, accounts, passwords, company address book, OA ......
 

 

 

 

OA login Port

You can directly log on to the OA system using the account and password of your mailbox.
 

http://oa.szeastroc.com:89/login.do

 

 

Proof of vulnerability:

 

 

 

 

 

 

Solution:

For ssl vpn and mail, I only use some usernames to test weak passwords. If all the passwords are tested, it is estimated that there will be more,

The tested accounts are sufficient to indicate hazards. All accounts should be checked when fixing vulnerabilities.

1. Add the verification code.

2. Change the password. Do not use weak passwords.

3. Do not use the same password and account easily for multiple systems.

4. strengthen employees' information security awareness.