Submit #255774: PHPGurukul Online Notes Sharing System 1.0 Parameter Tamperinginfo

TitlePHPGurukul Online Notes Sharing System 1.0 Parameter Tampering
DescriptionBug Description: A vulnerability in the Online Notes Sharing System 1.0 allows an attacker to tamper with parameters, specifically the "Contact Number", during the user profile update process. While the application restricts the direct modification of the contact number through the browser interface, an attacker can manipulate the request after clicking the "Update" button, leading to unauthorized changes in the user's contact information. Steps to Reproduce: # Exploit Title: Parameter Tampering in Contact Number in Online Notes Sharing System # Date: 20-12-2023 # Exploit Author: dhabaleshwardas # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-notes-sharing-system-using-php-and-mysql/ # Version: 1.0 # Tested on: firefox/chrome/brave # CVE: To exploit the vulnerability: 1- Log in to the application and navigate to the user profile page. View the current contact number displayed in the Contact Number field. Attempt to modify the contact number directly through the browser interface. Note that the application prevents direct modification at this stage. 2- Click the "Update" button to submit the profile update. 3- Intercept the request using a tool like Burp Suite or the browser's developer tools. Modify the "mobilenumber" parameter in the intercepted request to a new, unauthorized contact number. 4- Forward the modified request to the server. 5- The server accepts the tampered request, and the user's mobile number is updated to the unauthorized value. Impact: This vulnerability allows an attacker to tamper with parameters during the user profile update process, leading to unauthorized changes in the user's contact information. The impact may include impersonation, social engineering, or unauthorized access to sensitive data associated with the modified contact number. Remediation: Implement strong server-side validation for all parameters, including the Contact Number, during the update process.
Source⚠️ https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/notes_parameter_tampering.md
User
 dhabaleshwar (UID 58737)
Submission12/20/2023 17:40 (2 years ago)
Moderation12/21/2023 17:13 (24 hours later)
StatusAccepted
VulDB entry248742 [PHPGurukul Online Notes Sharing System 1.0 Contact Information /user/profile.php mobilenumber access control]
Points20

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!