ProConf 6.0 Insecure Direct Object Reference Vulnerability

vendor:

ProConf

by:

S. M. Zia Ur Rashid

4.1

CVSS

MEDIUM

Insecure Direct Object Reference (IDOR)

862

CWE

Product Name: ProConf

Affected Version From: <= 6.0

Affected Version To: 6

Patch Exists: YES

Related CWE: CVE-2018-16606

CPE: a:proconf:proconf:6.0

Metasploit:

Other Scripts:

Platforms Tested: Windows

2018

ProConf 6.0 Insecure Direct Object Reference Vulnerability

In ProConf version before 6.1, an Insecure Direct Object Reference (IDOR) vulnerability exists. This vulnerability allows any author to access and retrieve all submitted papers including titles, abstracts, and personal information of authors (such as Name, Email, Organization, and Position) by manipulating the Paper ID parameter.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper access controls and authorization mechanisms to prevent unauthorized access to sensitive data.

Source

Exploit-DB raw data:

# Exploit Title: ProConf 6.0 -  Insecure Direct Object Reference (IDOR)
# Date: 19/07/2018
# Exploit Author: S. M. Zia Ur Rashid, SC
# Author Contact: https://www.linkedin.com/in/ziaurrashid/
# Vendor Homepage: http://proconf.org & http://myproconf.org
# Version:  <= 6.0
# Tested on: Windows
# CVE : CVE-2018-16606
# Patched Version: 6.1

# Description:
In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows
any author to view and grab all submitted papers (Title and Abstract) and
their authors' personal information (Name, Email, Organization, and
Position) by changing the value of Paper ID (the pid parameter).

# PROOF-OF-CONCEPT
Step 1: Sign In as an author for a conference & submit a paper. Youall get
a paper ID.
Step 2: Now go to paper details and change the value of Paper ID (param
pid=xxxx) to nearest previous value to view others submitted paper &
authors information.
http:// <http:>
[host]/conferences/[conference-name]/author/show_paper_details.php?pid=xxxx