CVE-2019-25335

The vulnerability is an authentication bypass in the administration panel login page of PRO-7070 Hazır Profesyonel Web Sitesi version 1.0. The root cause is insufficient input validation; the login mechanism fails to sanitize user-supplied data, allowing SQL injection or a logic flaw where the credential check is circumvented by injecting the strings "=" and "or" into both the username and password fields [2].

An attacker can exploit this vulnerability by accessing the administration panel at the path /yonetim/pass.asp and entering the payload as both credentials. No authentication or prior access is required, making the attack surface accessible to any remote attacker. The exploitation process is straightforward, as demonstrated in the public proof-of-concept [2].

Successful exploitation grants full administrative privileges to the web site backend. An attacker can then modify site content, manage menus and sliders, view user submissions, and potentially perform other actions that compromise the integrity and confidentiality of the website and its data. This could lead to defacement, data theft, or further compromise of the hosting environment.

As of the latest information, no official patch has been released by the vendor. Users of this product should consider migrating to a more secure solution or implementing robust input validation and parameterized queries to mitigate the risk. The vulnerability is publicly documented with exploit code available [1][2].