Advisory ID: SYSS-2025-057 Product: MobiDiK Manufacturer: Richard Müller GmbH Affected Version(s): 8.3 Tested Version(s): 8.3 Vulnerability Type: Improper Authentication (CWE-287) Risk Level: High Solution Status: Open Manufacturer Notification: 2025-09-26 Solution Date: - Public Disclosure: 2025-12-12 CVE Reference: Not yet assigned Author of Advisory: Dennis Caliskan, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: MobiDiK is a web shop for pharmacy supplies. The manufacturer describes the product as follows (see [1]): "Since 1985, MobiDiK (Mobile Datenerfassung im Krankenhaus) has been networking hospital processes using mobile scanners for the benefit of staff on the wards, in the warehouse, and in the pharmacy. [...] MobiDiK is a modular solution that makes it possible to map all customer structures, from large university hospitals to decentralized solutions for logistics companies, using a single system." Due to insufficient password validation, the web application is vulnerable to an authentication bypass attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: An authentication bypass vulnerability allows an attacker to gain unauthorized access to user accounts by simply knowing or guessing valid usernames, without any knowledge of the password. The web application's back end accepts login requests with valid usernames and empty passwords. A client-side filter validates if input in the password field is provided. However, such filters can easily be circumvented, e.g. by using web proxies. However, if an incorrect (non-empty) password is submitted, access is properly denied. This suggests that the back-end logic either skips password validation for empty input or treats an empty password as valid under certain conditions. Furthermore, the following has been observed: In the administrative user management settings, it is possible to set an initial password for user accounts, either when the account is created or when the account already exists. This password is automatically set by the web application itself. As long as this initial password is set, the authentication bypass using an empty password does not work. But as soon as the corresponding user changes this initial password, he is vulnerable. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Log in to the web application with a valid username and a password of your choice. Make sure the target user has changed the initial password. 2. Intercept the corresponding HTTP POST request with a web proxy, bypassing the client-side filter. Leave the password field empty. You get the tenant ID by observing the "inst" parameter in the URL when accessing the login page. The resulting HTTP POST request upon login may look as follows: POST /index.php HTTP/2 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 130 login=&pwd=&modus=login&cdx=&p0=&p1=&mandant=&sid=&mwahlbenutzer=&inst=&fensterbreite=1152&hmauswahlfeld=&umauswahlfeld= 3. Observe that you have been successfully authenticated as this user without providing any password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Perform proper server-side password validation, regardless of input format or content. Always implement filters on both the client side and the server side to avoid inconsistent input validation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-09-18: Vulnerability discovered 2025-09-26: Vulnerability reported to manufacturer 2025-10-06: Vulnerability reported to manufacturer again 2025-12-08: To date, the vendor has not replied to the inquiry 2025-12-12: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for MobiDiK http://www.richard-mueller.de/gesundheitswesen/startseite-gesundheitswesen/ [2] SySS Security Advisory SYSS-2025-057 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-057.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dennis Caliskan of SySS GmbH. E-Mail: dennis.caliskan@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Dennis_Caliskan.asc Key ID: 0x5E916BF585867B55 Key Fingerprint: 52ED 2BF9 15D9 4965 854A 8336 5E91 6BF5 8586 7B55 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en