193 comments found.
Today, my super administrator password was changed by someone else. After investigation, it was found that the system’s backend administrator password reset function had a serious logical vulnerability, which the hacker exploited to reset the super administrator password. The vulnerability is mainly reflected in the following three aspects:
1. Lack of frequency limit for verification codes (easily brute-forced): The routing interface for backend password retrieval (such as verify-code) has no rate limit. After triggering the password reset email, a hacker can write a script to continuously request this interface. Because the system verification code is only 6 digits, a hacker can quickly brute-force the correct verification code by iterating through (100000 – 999999).
2. Verification codes never expire: In the logic of the verifyCode and reset methods, the system does not check the created_at (creation time) when verifying the token. As long as the verification code has not been used (status is ENABLE), it remains valid indefinitely, giving hackers unlimited time to crack it. 3. The final reset API fails to verify email ownership. This is the most critical vulnerability: when executing the final password change in ResetPasswordController.php, the code only queries the database using `where(‘token’, $request->token)` and then directly uses the email address from the database record to reset the password, completely ignoring the email parameter passed in the hacker’s request. This means that if a hacker happens to encounter any historically saved CAPTCHA, they can reset the administrator password corresponding to that CAPTCHA.
We appreciate your detailed report of the vulnerability in our eSIM platform’s backend administrator password reset function. We take security issues seriously and will investigate this matter thoroughly.
To ensure we fully understand the issue, could you please provide us with more information about how you encountered this vulnerability? For example:
- What steps did you take to exploit the vulnerability?
- Were there any specific circumstances or conditions that led to the vulnerability being triggered?
Your detailed report will help us reproduce and fix the issue promptly. We will also make sure to update our platform to prevent similar vulnerabilities in the future.
Thank you for bringing this to our attention, and we look forward to your response with more information.
Regarding the vulnerabilities in the source code, we made modifications covering the following three files:
1. Route Frequency Limit Defense
- File: admin.php
- Action: Added ->middleware(‘throttle:5,1’) and ->middleware(‘throttle:10,1’) to the routes for sending verification codes, verifying verification codes, and changing passwords.
2. CAPTCHA Forced Expiration Mechanism in 10 Minutes + Failure Count Counter
- File: ForgotPasswordController.php
- Action: Added the conditional check >where(‘created_at’, ’>=’, Carbon::now()>subMinutes(10)) when querying reset requests. In the `sendResetCodeEmail` method, when generating a new verification code, an attempt counter is initialized in the user’s session: `session()->put(‘pass_res_attempts’, 0)`. If the cumulative number of incorrect attempts reaches 3, the system will immediately set the database status of the verification code to `Status::DISABLE` (completely invalid), clear the corresponding session record, and forcibly redirect the user to the initial password recovery page, displaying the message “Too many invalid attempts. The verification code has been revoked.”
3. Strong Binding of Account and Token
- File: `ResetPasswordController.php`
- Operation: Added `>where(‘email’, $request>email)` when resetting the password. Also fixed the expiration time blind spot when the controller displays the reset form page (`showResetForm`).
Thank you for sharing the modifications you made to address the vulnerabilities in our eSIM platform’s backend administrator password reset function.
We appreciate your efforts and attention to security details.
To further assist us in verifying and incorporating these changes into our product, we kindly request that you open a support ticket at https://viserlab.com/support with more information about the modifications you made, including any code snippets or specific details of the updates.
This will enable our technical team to review and implement these changes effectively, ensuring the security and stability of our platform for all users.
am getting issue with flags not be displayed on destinations, is there bulk upload destination flag
Please open a support ticket at https://viserlab.com/support regarding this. Our technical team will assist you on it.
Friends, where else can I find mature ESIM platform source code? I’ve purchased from several service providers on CodeCanyon, but they all have some issues.
If you encounter any issues with your eSIM platform purchase, please open a support ticket at https://viserlab.com/support . Our technical team will assist you promptly.
Next Update kindly add home page Where Client download our Mobile app and also kindly consider adding new themes like popular esim platform you can add as add-on to buy
Thank you for your suggestion. We’ve noted the request for a mobile app download homepage and new theme add-ons for future updates.
How do I download v1.5? I downloaded v1.4 from the download center.
i have buy Mobile app also .but the eSIM – International eSIM And Data Purchase Platform is v1.4
When is the next update? We want a stable version (including the app) to launch commercially. Is the current version okay?
Because we still need to conduct secondary development, including for SMS functionality providers and more data types.
Please open a support ticket at https://viserlab.com/support regarding this.
Great work, could you include Virtual phone number, and SMS providers?
Thank you for your suggestion. I’ve taken a note of it for consideration.
Hello,
I updated the script to version 1.5, but I could not find the Mobile App Compatible option mentioned in the changelog. Could you please tell me where I can find or enable this feature?
Thank you.
The app will be published soon.
Do I need to buy the app, or will it be included in the update?
You need to buy the app separately.
when the app will be shared?
The app will be published soon.
I’m not clear about the issue. What’s wrong here?
Map image issue can you find away that system automatically fetch image for maps
No, currently, there is no option like that. You have to upload each image manually.
In the next update can you make it automatic
I’ve taken a note of it for consideration in the next update.
question. can you use two esim providers at the same time? Like say you have both airalo and esim card at the same time
Yes, you can use multiple provider at a time.
I’m installing a script on my web server and can’t activate it. It’s showing the error: “The system detects that you are trying to activate the product on an unauthorized domain or IP. You can ask for support by creating a support ticket.”
Please fix or reset the Purchase Code.
Please open a support ticket here: https://viserlab.com/support
Our Technical team will assist you.
Regards
In the next update, integrate the Maya.net API.
What is the cost of integrating that API and creating a REST API to integrate it into our app? Please tell me the cost.
Thank you for your suggestions. Please open a support ticket at https://viserlab.com/support regarding this. Our team will help you with it.
Any update and when do you realise flutter app?
We’re working on it. I think we can release it soon.
Great looking script! Before purchasing, I want to ask: Can this be used as a B2B portal where only registered travel agencies can see and purchase packages? I need to give them their own dashboard.Each travel agency gets their own panel to buy and manage eSIMs.
That’s possible. But you need to customise the existing script for that.
Thanks for the quick reply! Since it requires customization, could you please provide a rough estimate of the cost and timeline for these changes? Specifically, I need the B2B agent dashboard and the ‘private’ product view for guests. Do you offer these customization services directly?
Sir, we do offer customization service. Could you please open a support ticket at https://viserlab.com/support regarding this? Our team will assist you there.
Can it work with any simcard
Yes, it will work alongside any SIM card.
Your physical SIM card will continue to function normally. The eSIM operates separately and connects independently on your device, allowing you to use both without any conflict.
Can it work on internet, as mbs
Yes, there is a data package here.
Does it work like mtn airtime of Africa
What about call and texting
Our integrated API also provide airtime, but the SMS option is not available.
Ok, what about voice call
The airtime feature is available.
Can it allow the call on voice call and on internet
Yes, it allows.
Okay
Thank you for your interest.
Is there any possible release date of Flutter app?
Sir, we’re actively working on the mobile app. We’ll release the app once we’re done.
I am waiting for your flutter app for this and I will buy this immediately please maintain this because this is a long term and great thing..
Sir, we’re working with the Flutter app. We’ll release it soon. Thank you for your interest.
Been waiting for the flutter app to come so that I can finally purchase this as a whole since 100% oof my users will be using the app and th ewebsite will only be used to adverstisement or marketing and SEO
Sir, we’re currently working on the mobile app for this script. I hope we can release it soon.
Hello,
Could you please confirm the following details:
• Whether the system supports B2B subscription plans • The expected availability date of the mobile application • If integration with other eSIM providers is supported
Thank you.
1. No, currently the system does not support B2B subscription plans. 2. Our technical team is working on this feature and it will be published very soon. 3. Currently, there are fixed providers: Dataplans.io, eSIM.sm, ESIM ACCESS, eSIM Card, and Airalo.
i want to buy it but i have qst i have b2b costumer i can create a group price for b2b !
Currently, this feature is not available in the script. It does not support creating group-based or B2B-specific pricing.
