Last active
January 3, 2021 14:42
-
-
Save alacerda/3b925cb333eb839ae808d6f01642aeb3 to your computer and use it in GitHub Desktop.
Mk-Auth Authenticated IDOR via Invoice ID
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Product Description: | |
| Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel. | |
| Vulnerability Description: | |
| It is possible to leak other user’s sensitive information like CPF (Personal Number used in Brazil) by manipulating the number of the invoice requested. | |
| Additional Information: | |
| Any authenticated user can read arbitrary invoices even if it does not belong to the authenticated user. The response leaks sensitive information of the user that the invoice refers to. See below an example of a GET request: | |
| GET /central/recibo.php?titulo=00006 HTTP/1.1 | |
| Vulnerability Type: | |
| CWE-639: Authorization Bypass Through User-Controlled Key | |
| Vendor: | |
| Mk-Auth | |
| Affected Product: | |
| MK-Auth 19.01 :: K4.9 | |
| Probably previous are also affected | |
| Affected Component: | |
| Faturas: Recibo | |
| Attack Vector: | |
| Remote | |
| Code Execution: | |
| No | |
| Attack Vector: | |
| Any client of the Internet Service Provider that has access to the platform (to download billings and request for support) may exploit this vulnerability. | |
| Reference: | |
| http://mk-auth.com.br/ | |
| Discoverer: | |
| Alan Lacerda (alacerda) | alacerda[at]intruderlabs.com.br | |
| Filipe Cordeiro (sknux) | c_sfilipe@outlook.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment