Mukd-482

| Technique | Indicator | Tool/Command | |-----------|-----------|--------------| | | Requests to /login containing X‑Forwarded‑User from non‑trusted IPs | grep "X-Forwarded-User" /var/log/nginx/access.log | | WAF rule | Block any X‑Forwarded-User header from external sources | SecRule REQUEST_HEADERS:X-Forwarded-User "!@ipMatch 10.0.0.0/8" "id:900001,phase:1,deny,status:403,msg:'Blocked forged X-Forwarded-User'" | | IDS/IPS | Alert on POST to /login with both X-Forwarded-User and X-Forwarded-For present | Snort/Suricata rule – alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MUKD-482 Authentication Bypass"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/login"; http_header; content:"X-Forwarded-User:"; fast_pattern; sid:2026001;) |

to POST /login with the following JSON body: mukd-482

A central theme involving classroom and school-based settings. $HOME_NET any (msg:"MUKD-482 Authentication Bypass"

A vulnerability (MUKD‑482) has been discovered in the MUKD‑Web content‑management system (versions 3.1.0‑3.4.5). An unauthenticated attacker can craft a specially‑formatted HTTP request that bypasses the login routine and gains administrative privileges, leading to full system compromise. leading to full system compromise.