Submit #441913: Code4Berry Decoration Management System 1.0 Improper Access Controlsinfo

TitleCode4Berry Decoration Management System 1.0 Improper Access Controls
DescriptionYou can find the PHP/MySQL code at : https://code4berry.com/projects/decoration.php This vulnerability is a combination of an IDOR possible through a lack of effective server side validation of both authentication and authorization. Using a POST request at /decoration/admin/update_image.php?id=[UserID] , you are able to change another user's profile photo. For this to work, you do need to have a valid logged in session, however, a standard user can do this to an admin or superadmin, the latter automatically issued an id of "2" for the initial profile the framework comes with - login: admin:1234 to access. The POST request uses the multipart/form-data syntax to change profile photo with four parameters across three sections. First, "productName" is automatically filled with the user's name that initiates the profile photo change. To change the profile photo succesfully, this name parameter must match the target user you are attacking. To find the names of all registered users, you can send a request to http://example.com/decoration/admin/userregister.php and see all user's permissions and full names (only admins and superadmins see this endpoint on their hamburger menu, so it should not be accessible to normal users). If the "productName" parameter uses an incorrect name tha does not match the target user designated via the URL parameter "id", the request will delete their current photo. So even without knowing any usernames, you could cycle through the IDs from 1-100 and delete all user's profile photos. The request looks like: Note: Gerald Smith is the default admin name on the included superadmin POST /decoration/admin/update_image.php?id=2 HTTP/1.1 [..snip..] ------WebKitFormBoundaryst71o445zYWNRVNs Content-Disposition: form-data; name="productName" Gerald Smith ------WebKitFormBoundaryst71o445zYWNRVNs Content-Disposition: form-data; name="productimage1"; filename="whatever.jpg" Content-Type: image/jpeg ���� [... image data....]
User
 scumdestroy (UID 48934)
Submission11/12/2024 04:21 AM (1 Year ago)
Moderation11/20/2024 09:11 AM (8 days later)
StatusAccepted
VulDB entry285499 [Code4Berry Decoration Management System 1.0 User Image update_image.php productimage1 access control]
Points17

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!