嗯,用户让我帮忙总结一下这篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头,直接写描述就行。首先,我需要通读整篇文章,抓住主要信息。 文章讲的是DavaIndia Pharmacy药店出现了一个安全漏洞,导致攻击者可以访问客户数据,并且获得了系统的完全管理员控制权。DavaIndia是一个印度大型连锁药店,专注于销售平价的仿制药。他们通过Zota Health Care Ltd.运营,提供低价药物以提高印度的医疗可及性。 安全研究人员Eaton Zveare发现了这个漏洞。他发现网站的一个子域名暴露了超级管理员API,允许未经身份验证的访问。通过构造POST请求,他创建了一个新的超级管理员账户,从而获得了平台的完全控制权。这意味着攻击者可以查看和编辑商店、药剂师信息、客户订单、个人信息、产品、库存和优惠券等数据。 此外,攻击者还可以生成100%折扣券,并可能绕过处方购买的要求。漏洞在2025年8月20日被报告,并在一个月内修复,但确认延迟到11月28日才完成。最终在2026年2月13日公开披露。 现在需要把这些信息浓缩到100字以内。重点包括:DavaIndia Pharmacy的安全漏洞、暴露的数据、管理员控制权、研究人员发现的问题以及漏洞的影响和修复情况。 可能的结构是:描述事件(安全漏洞)、受影响的数据(客户数据)、获得的权限(完全管理员控制)、研究人员的名字和发现的方法(未认证访问API),以及修复时间。 现在试着组织语言: “DavaIndia Pharmacy因安全漏洞暴露客户数据并授予完全管理员控制权。研究人员Eaton Zveare发现未认证访问超级管理员API的问题,允许创建新账户并操控系统数据和功能。” 这样大约57个字,符合要求。 </think> DavaIndia Pharmacy因安全漏洞暴露客户数据并授予完全管理员控制权。研究人员Eaton Zveare发现未认证访问超级管理员API的问题,允许创建新账户并操控系统数据和功能。 2026-2-16 19:22:6 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
A security flaw at DavaIndia Pharmacy allowed attackers to access customers’ data and more
Pierluigi Paganini
February 16, 2026
A security flaw at DavaIndia Pharmacy exposed customer data and gave outsiders full admin control of its systems.
DavaIndia is a large Indian pharmacy retail chain focused on selling affordable generic medicines. Operated by Zota Health Care Ltd., the brand promotes low-cost alternatives to branded drugs to make healthcare more accessible across India.
DavaIndia runs hundreds of franchised stores nationwide and positions itself as a value-driven pharmacy network, offering prescription medicines, over-the-counter products, and wellness items at discounted prices. Its business model centers on reducing medicine costs while expanding access in both urban and semi-urban areas.
A security vulnerability at DavaIndia Pharmacy allowed unauthorized access to its platform, exposing customer order data and granting full administrative control. The weakness also put sensitive drug-control functions at risk, raising serious concerns about data protection and the integrity of its internal systems.
The security researcher Eaton Zveare disclosed serious flaws in DavaIndia. While analyzing its website, the researcher found an exposed admin subdomain that allowed unauthenticated access to super-admin APIs.
“The site is developed using Next.js, so naturally there’s plenty of client-side JS to pick through. One part that stood out immediately was the forgot password code that mentioned super-admin APIs” wrote the expert. “As a test, I went to the endpoint in the browser and was presented with the list of super admin users! All without authenticating.”
By crafting a POST request, he was able to create a new super admin account and gain full control of the platform.
With this access, it was possible to view and edit stores, pharmacist details, customer orders, personal data, products, inventory, and coupons. The researcher even generated a 100% discount coupon and demonstrated how prescription requirements could potentially be bypassed, highlighting major risks to customer privacy and drug controls.
“Some items require a prescription to purchase. This is controlled by a toggle” continues the expert. “If you wanted to buy something that would require a prescription, you could in theory toggle this off and then submit your order. This was not tested, but it is highly likely it would have worked.”
An exposed admin panel included a “Sponsor Settings” feature that allowed control over homepage videos, meaning an attacker could have swapped content, even pulling off a Rick Roll prank. The flaw was reported on August 20, 2025, and fixed within a month, though confirmation was delayed. With support from CERT-In, the case was finally confirmed closed on November 28, 2025, and publicly disclosed on February 13, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, DavaIndia Pharmacy)
如有侵权请联系:admin#unsafe.sh