| 제목 | BichitroGan ISP Billing Software 2025.3.20 Insecure Direct Object Reference (IDOR) / Broken Access Control |
|---|
| 설명 | An Insecure Direct Object Reference (IDOR) vulnerability exists in the BichitroGan ISP Billing Software version 2025.3.20.
The endpoint:
?_route=settings/users-view/{id}
does not properly validate user authorization. A low-privileged authenticated user (such as a Sales role) can manipulate the user ID parameter to access other users' account information, including administrative accounts.
By changing the numeric ID in the URL, attackers can enumerate users and retrieve sensitive account information without proper authorization checks.
Example:
https://demo.bichitrogan.com/?_route=settings/users-view/4
Impact:
• Unauthorized access to user information
• Exposure of administrator account details
• User enumeration
• Potential reconnaissance for privilege escalation
The vulnerability occurs due to missing server-side access control validation on the user profile endpoint. |
|---|
| 원천 | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/15 |
|---|
| 사용자 | 4m3rr0r (UID 85795) |
|---|
| 제출 | 2026. 03. 12. AM 10:15 (17 날 ago) |
|---|
| 모더레이션 | 2026. 03. 27. PM 05:06 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 353953 [BichitroGan ISP Billing Software 2025.3.20 Endpoint users-view 아이디 권한 상승] |
|---|
| 포인트들 | 20 |
|---|