# Exploit Title: MaxTime Database Editor 1.9 Authentication Bypass
# Google Dork: N/A
# Date: 07/09/2024
# Exploit Author: Andrew Lemon/Red Threat https://redthreatsec.com
# Vendor Homepage: https://www.q-free.com
# Software Link: N/A
# Version: 1.9
# Tested on:  (Intelight x-1) Linux 3.14.57 
# CVE : CVE-2024-38944

## Vulnerability Description
This vulnerability allows remote attackers to bypass authentication on affected installations of MaxTime Database Editor. 
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the web-based UI on Traffic Controllers running version 1.9.x firmware. 
The issue results from the lack of authentication prior to allowing access to functionality. 
An attacker can leverage this vulnerability to gain full control of Intelight Traffic Controllers and modify the configuration of a traffic intersection,
modify traffic light sequences, or trigger the intersection to go into 4 way flash causing a denial of service and causing traffic congestion.

## Steps to Reproduce

Navigate to the IP address of an identified controller
When prompted for authentication append /cgi-bin/generateForm.cgi?formID=142 to the end of the IP address
Under the web security tab change the drop down from enabled to disabled and select apply or take note of the username and password and login with those.